CVE Catalog

CVE-2026-41932

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile - higher than 12% of all known CVEs

Summary

Vvveb before version 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow. The Signup::addUser() controller copies raw POST username values into the display_name field before sanitization, allowing attackers to inject HTML and script markup.

Risk Assessment

An attacker can store malicious scripts in the display_name field, which will execute in other users' browsers when rendered without encoding, potentially leading to session theft, redirects, or data theft.

Recommendation

Upgrade Vvveb to version 1.0.8.3 or later immediately. If upgrading is not possible, manually apply input sanitization and output encoding for the display_name field in all views.

Original NVD description (English source)

Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS