PT-2026-41360 · Vvveb · Vvveb

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-45800

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.3
Description An authenticated SQL injection exists in the frontend user order history page. A user with standard frontend privileges can access the '/user/orders' endpoint, where the order by and direction request parameters are accepted from the URL and passed through the Orders component. These parameters are directly concatenated into the SQL ORDER BY clause within the getAll() function of OrderSQL, allowing attacker-controlled input to reach the SQL structure without a whitelist or safe query construction.
Recommendations Update to version 1.0.8.3.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45800
GHSA-VWCX-W4FQ-9769

Affected Products

Vvveb