CVE-2026-5615
Received Received - Intake
Cross-Site Scripting in Givanz Vvvebjs File Upload Endpoint

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in givanz Vvvebjs up to 2.0.5. The affected element is an unknown function of the file upload.php of the component File Upload Endpoint. This manipulation of the argument uploadAllowExtensions causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: 8cac22cff99b8bc701c408aa8e887fa702755336. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5615
EUVD
EUVD-2026-19160
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
givanz vvvebjs to 2.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the givanz Vvvebjs software up to version 2.0.5, specifically in the file upload.php component responsible for handling file uploads.

The issue arises from manipulation of the argument uploadAllowExtensions, which leads to a cross-site scripting (XSS) vulnerability. This means an attacker can inject malicious scripts through the file upload functionality.

Remote exploitation is possible, allowing attackers to execute scripts in the context of the victim's browser.

A patch has been released that removes the 'svg' file extension from the allowed upload types to mitigate this risk, as SVG files can contain malicious scripts.

Impact Analysis

This vulnerability can allow attackers to perform cross-site scripting (XSS) attacks by uploading malicious SVG files.

Such attacks can lead to unauthorized script execution in users' browsers, potentially resulting in session hijacking, defacement, or theft of sensitive information.

Because the exploit is publicly available, the risk of attack is increased if the vulnerable version is used without applying the patch.

Detection Guidance

This vulnerability involves the upload.php file allowing SVG file uploads, which can lead to cross site scripting attacks. Detection can focus on monitoring or scanning for SVG file uploads through the file upload endpoint.

You can check your system for the presence of SVG files being uploaded by inspecting web server logs or by searching the upload directories for SVG files.

  • Use command to find SVG files in upload directories: find /path/to/uploads -type f -name '*.svg'
  • Check web server access logs for POST requests to upload.php that include SVG files: grep 'upload.php' /var/log/apache2/access.log | grep '.svg'
  • Use network monitoring tools to detect HTTP POST requests containing SVG files to the upload endpoint.
Mitigation Strategies

The recommended immediate mitigation is to apply the patch identified by commit 8cac22cff99b8bc701c408aa8e887fa702755336, which removes 'svg' from the allowed file extensions in upload.php.

This patch prevents SVG file uploads that could be exploited for cross site scripting attacks.

If patching immediately is not possible, temporarily disable or restrict file uploads to exclude SVG files.

Additionally, monitor and block suspicious upload attempts and consider implementing input validation and sanitization on uploaded files.

Compliance Impact

The vulnerability in givanz Vvvebjs allows cross site scripting (XSS) via manipulation of the uploadAllowExtensions argument in the file upload.php component. Such XSS vulnerabilities can potentially lead to unauthorized access or manipulation of user data.

While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could impact compliance by exposing personal or sensitive data to unauthorized parties, violating data protection requirements.

Applying the recommended patch mitigates this risk and helps maintain compliance with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5615. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart