PT-2026-41359 · Vvveb · Vvveb
Published
2026-05-15
·
Updated
2026-05-15
·
CVE-2026-45622
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Vvveb versions prior to 1.0.8.3
Description
An unauthenticated reflected cross-site scripting (XSS) issue exists in the public product return form. The
customer order id POST parameter is inserted into an error message when an order lookup fails, and this message is rendered in the frontend template without HTML escaping. This allows attacker-controlled HTML or JavaScript to execute in the browser of the user who submits the form.Recommendations
Update to version 1.0.8.3.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vvveb