{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34429", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-27T15:24:06.752Z", "datePublished": "2026-04-20T13:54:37.019Z", "dateUpdated": "2026-04-20T14:56:19.205Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-20T13:54:37.019Z"}, "title": "Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "givanz", "product": "Vvveb", "repo": "https://github.com/givanz/Vvveb", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.8.1", "versionType": "semver"}, {"status": "unaffected", "version": "cc997d3359ea5e49a45c132f5dee3bc80fb441d7", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vvveb prior to\u00a01.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vvveb prior to&nbsp;1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.<br>"}]}], "references": [{"url": "https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCIk3uzhZQgbjzAkG/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1", "tags": ["release-notes"]}, {"url": "https://github.com/givanz/Vvveb/commit/cc997d3359ea5e49a45c132f5dee3bc80fb441d7", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/vvveb-stored-xss-via-media-upload-and-rename", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Hamed Kohi", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:50:07.310752Z", "id": "CVE-2026-34429", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:56:19.205Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34429", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:50:07.310752Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:56:14.248Z"}}], "cna": {"title": "Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Hamed Kohi"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/givanz/Vvveb", "vendor": "givanz", "product": "Vvveb", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.8.1", "versionType": "semver"}, {"status": "unaffected", "version": "cc997d3359ea5e49a45c132f5dee3bc80fb441d7", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCIk3uzhZQgbjzAkG/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1", "tags": ["release-notes"]}, {"url": "https://github.com/givanz/Vvveb/commit/cc997d3359ea5e49a45c132f5dee3bc80fb441d7", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/vvveb-stored-xss-via-media-upload-and-rename", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vvveb prior to\u00a01.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.", "supportingMedia": [{"type": "text/html", "value": "Vvveb prior to&nbsp;1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-20T13:54:37.019Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34429", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:56:19.205Z", "dateReserved": "2026-03-27T15:24:06.752Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-20T13:54:37.019Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vvveb prior to\u00a01.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution."}], "id": "CVE-2026-34429", "lastModified": "2026-04-20T16:16:44.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-20T16:16:44.650", "references": [{"source": "disclosure@vulncheck.com", "url": "https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCIk3uzhZQgbjzAkG/"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/givanz/Vvveb/commit/cc997d3359ea5e49a45c132f5dee3bc80fb441d7"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/vvveb-stored-xss-via-media-upload-and-rename"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.8.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "cc997d3359ea5e49a45c132f5dee3bc80fb441d7"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vvveb", "source": "cna", "vendor": "givanz"}, "product": "vvveb", "vendor": "givanz"}], "analysis": {"en": {"generated_at": "2026-04-20T15:54:35.053310+00:00", "value": {"mitigation_remediation": ["Upgrade Vvveb to version 1.0.8.1 or later", "Limit media upload and rename permissions to trusted administrators only; consider disabling rename of uploaded files", "Enforce strict MIME type validation on server\u2011side uploads and reject files with non\u2011matching extensions or content types; block .html and other executable extensions in media upload directories"], "summary": {"action": "Patch immediately", "impact": "Stored Cross\u2011Site Scripting leading to potential account takeover and remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Vvveb content\u2011management system, specifically any installation running a version earlier than 1.0.8.1. Only users who are authenticated and have permissions to upload and rename media files are able to exploit the flaw; administrators applying the fix should upgrade to the released 1.0.8.1 or later, which removes the MIME type bypass and filename\u2011change loophole.", "description_and_impact": "Vvveb versions prior to 1.0.8.1 contain a stored cross\u2011site scripting flaw that allows authenticated users with media upload and rename rights to inject arbitrary JavaScript. By appending a GIF89a header to an HTML/JavaScript payload and then renaming the file to a .html extension, the attacker can execute malicious code in the browser of any administrator who later opens the file. The injected script can create backdoor accounts and upload malicious plugins, ultimately enabling remote code execution. The weakness is a classic CWE\u201179 stored XSS.", "risk_and_exploitability": "The CVSS score of 5.1 reflects moderate severity, but the lack of an EPSS score means there is currently no publicly available data on exploitation probability. The flaw is not listed in the CISA KEV catalog. Because exploitable only by authenticated users with specific file\u2011handling permissions, the risk depends on the strength of access controls and user credentials. However, once a file is executed, the attacker can gain a fresh administrative account and upload code that can run on the server, effectively providing a backdoor for remote code execution. Consequently, organizations that host Vvveb sites should treat this as a high\u2011risk vulnerability if their CMS is exposed to untrusted users or has weak authentication mechanisms."}}}}, "created": "2026-04-20T16:00:10.643893+00:00", "updated": "2026-04-20T16:30:06.099010+00:00", "vendors": ["givanz", "givanz$PRODUCT$vvveb"]}