PT-2026-41353 · Vvveb Cms · Vvveb Cms

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-44826

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.2
Description Vvveb CMS fails to validate the sign of the quantity parameter on the 'cart-add' endpoint. By submitting a negative integer, the server processes it as a normal line-item, causing downstream computations for line totals, sub-totals, taxes, and grand totals to become negative. This allows the checkout flow to accept a negative cart, resulting in orders being saved in the merchant database with a negative total, creating records where the merchant effectively owes the customer money.
Recommendations Update to version 1.0.8.2.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44826
GHSA-75X2-J47J-MG8J

Affected Products

Vvveb Cms