CVE-2026-41932
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
Vvveb before version 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow. The Signup::addUser() controller copies raw POST username values into the display_name field before sanitization, allowing attackers to inject HTML and script markup.
Risk Assessment
An attacker can store malicious scripts in the display_name field, which will execute in other users' browsers when rendered without encoding, potentially leading to session theft, redirects, or data theft.
Recommendation
Upgrade Vvveb to version 1.0.8.3 or later immediately. If upgrading is not possible, manually apply input sanitization and output encoding for the display_name field in all views.
Original NVD description (English source)
Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views.

