CVE-2026-34429

Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename

Assigner: VulnCheck
Reserved: 27.03.2026 Published: 20.04.2026 Updated: 20.04.2026

Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	givanz
Product	Vvveb
Versions	Default: unaffected affected from 0 to 1.0.8.1 (excl.) Version cc997d3359ea5e49a45c132f5dee3bc80fb441d7 is unaffected

Vendor

givanz

Product

Vvveb

Versions

Default: unaffected

affected from 0 to 1.0.8.1 (excl.)
Version cc997d3359ea5e49a45c132f5dee3bc80fb441d7 is unaffected

Credits

Hamed Kohi finder
VulnCheck coordinator

References

Problem Types