CVE-2026-45800 givanz CVE debrief

Who should care

Administrators and operators running Vvveb CMS installations, especially sites that allow frontend user accounts and order history access, should treat this as a priority patching issue.

Technical summary

The vulnerability is an authenticated SQL injection in the frontend order history workflow. The request parameters order_by and direction are accepted from the URL on /user/orders, propagated through the Orders component, and directly concatenated into the SQL ORDER BY clause in OrderSQL::getAll(). Because the input is used in SQL structure rather than validated against an allowlist, a logged-in frontend user can influence query construction. The advisory states the issue is fixed in Vvveb CMS 1.0.8.3.

Defensive priority

High. The CVSS score is 8.7 (HIGH), and the flaw is reachable by authenticated frontend users. Patch promptly to 1.0.8.3 and review any deployments that expose order history functionality to untrusted users.

Recommended defensive actions

• Upgrade Vvveb CMS to version 1.0.8.3 or later.
• Review any customizations around /user/orders and related order sorting logic for unsafe SQL string concatenation.
• Restrict frontend account access where possible until patching is complete.
• Monitor application logs for unusual requests to order history endpoints using unexpected order_by or direction values.
• Validate that database access used by the application follows least privilege.

Evidence notes

The CVE record and NVD detail identify CVE-2026-45800 as a high-severity issue published on 2026-05-15 and modified on 2026-05-18. The linked GitHub Security Advisory describes an authenticated SQL injection in Vvveb CMS prior to 1.0.8.3, assigns CWE-89, and notes the affected order history path and SQL ORDER BY concatenation. The NVD snapshot in the source item is marked Deferred.

Official resources