PT-2026-41359 · Vvveb · Vvveb

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-45622

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.3
Description An unauthenticated reflected cross-site scripting (XSS) issue exists in the public product return form. The customer order id POST parameter is inserted into an error message when an order lookup fails, and this message is rendered in the frontend template without HTML escaping. This allows attacker-controlled HTML or JavaScript to execute in the browser of the user who submits the form.
Recommendations Update to version 1.0.8.3.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45622
GHSA-3XWM-8F6M-CFC6

Affected Products

Vvveb