**Executive Summary:** CVE-2026-46407 is a HIGH severity (CVSS 8.1) authorization bypass vulnerability in Vvveb CMS affecting versions prior to 1.0.8.3. An authenticated administrator can exploit a missing authorization check on the backend `admin/auth-token` endpoint to enumerate and retrieve REST API tokens belonging to other administrators, leading to sensitive credential disclosure and potential privi [truncated]
CVE-2026-45800 affects Vvveb CMS prior to 1.0.8.3 and is described as an authenticated SQL injection in the frontend user order history page. A normal frontend user can log in, visit /user/orders, and influence the order_by and direction parameters. Those values are passed through the Orders component and concatenated into the SQL ORDER BY clause in OrderSQL::getAll() without a whitelist or safe query con [truncated]
Vvveb CMS versions prior to 1.0.8.3 contain an unauthenticated reflected cross-site scripting (XSS) vulnerability in the public product return form. The `customer_order_id` POST parameter is inserted into an error message without HTML escaping, allowing attacker-controlled JavaScript to execute in the victim's browser when the order lookup fails. This is a client-side attack requiring user interaction (fo [truncated]
Vvveb CMS versions prior to 1.0.8.3 contain a stored cross-site scripting (XSS) vulnerability classified as CWE-79. The vulnerability allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' sessions. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges and user interaction, with impacts to co [truncated]
CVE-2026-44826 is a high-severity input-validation flaw in Vvveb CMS affecting the cart-add endpoint. Prior to 1.0.8.2, a negative quantity value is accepted and then propagated through cart and checkout calculations, producing negative line totals, subtotals, taxes, and grand totals. The issue can surface in the merchant dashboard as a real order with a negative total, creating an integrity and financial [truncated]
A stored cross-site scripting (XSS) vulnerability in Vvveb CMS allows unauthenticated attackers to inject malicious scripts via the author field in the comment submission flow. The vulnerability exists because user-supplied input is stored without sanitization and later rendered unsanitized in administrative interfaces. This affects versions prior to 1.0.8.1. The CVSS 3.1 score of 6.1 (Medium) reflects ne [truncated]