CVE-2026-41929
Deferred Deferred - Pending Action
Unauthenticated Reflected XSS in Vvveb Visual Editor

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: VulnCheck

Description
Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vvveb vvveb to 1.0.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vvveb versions before 1.0.8.2 and is an unauthenticated reflected cross-site scripting (XSS) issue in the visual editor preview renderer.

Attackers can exploit it by manipulating the 'r' query parameter and the '_component_ajax' POST parameter to execute arbitrary JavaScript code.

The vulnerability arises because the gating function isEditor() does not verify session, role, or token, and the view handler injects raw HTML from the POST body without sanitization.

This allows attackers to craft malicious links or auto-submitted forms that cause victims to run attacker-controlled JavaScript in the context of the Vvveb origin.

Impact Analysis

This vulnerability can lead to attackers executing arbitrary JavaScript in the victim's browser within the context of the Vvveb application.

Potential impacts include theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of the user, and possible compromise of user accounts.

Because the vulnerability is unauthenticated and requires only user interaction (UI:R), it can be exploited by tricking users into clicking malicious links or submitting forms.

Compliance Impact

The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in the context of the Vvveb origin, which can lead to session hijacking, account takeover, phishing, cross-site request forgery, and persistent backdoor installation.

Such impacts can compromise the confidentiality and integrity of user data, potentially violating data protection requirements under standards like GDPR and HIPAA that mandate safeguarding personal and sensitive information against unauthorized access and attacks.

Because the vulnerability enables attackers to execute malicious scripts without authentication and can lead to unauthorized data access or manipulation, affected systems may fail to meet compliance obligations related to secure user authentication, data integrity, and protection against cross-site scripting attacks.

Detection Guidance

Detection of this vulnerability involves identifying attempts to exploit the unauthenticated reflected XSS via the visual editor preview renderer. Specifically, look for HTTP requests containing the 'r' query parameter combined with POST requests to the '_component_ajax' parameter where the 'html' POST body is reflected without sanitization.

You can monitor web server logs or use network traffic inspection tools to detect suspicious requests matching the pattern: a GET or POST request to endpoints like '/?r=1&_component_ajax=&_component_id=' with unusual or malicious JavaScript payloads in the POST body.

Example commands to detect such attempts might include:

  • Using grep on web server logs to find requests with the 'r' parameter and '_component_ajax': grep -E "r=[0-9]+.*_component_ajax" /var/log/apache2/access.log
  • Using curl to test the vulnerability manually by sending a crafted POST request: curl -X POST 'http://target/?r=1&_component_ajax=&_component_id=' -d 'html=<script>alert(1)</script>' -v
  • Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on reflected XSS patterns involving the 'r' query parameter and '_component_ajax' POST parameter.
Mitigation Strategies

Immediate mitigation steps include applying the official patch or upgrading Vvveb to version 1.0.8.2 or later, which addresses this vulnerability by enforcing authentication checks and sanitizing input parameters.

Additional recommended actions are:

  • Patch the 'isEditor()' function to enforce proper authentication, session, and role verification before rendering editor components.
  • Sanitize the 'html' POST parameter to prevent injection of arbitrary JavaScript or HTML.
  • Implement a strong Content-Security-Policy (CSP) header to restrict execution of unauthorized scripts.
  • Remove or disable the ineffective 'X-XSS-Protection' header as it does not provide adequate protection.
  • Restrict access to the vulnerable endpoints to authenticated and authorized users only.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart