Vulnerabilities ›

CVE-2026-34429

Medium

CWE-79 — Weakness Type

                    Published: Apr 20, 2026                      ·  Modified: Apr 23, 2026                      ·  Source: NVD                

CVSS v3

5.4

🔗 NVD Official

📄 Description (English)

Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.

🤖 AI Executive Summary

CVE-2026-34429 is a stored XSS vulnerability in Vvveb CMS prior to version 1.0.8.1 that allows authenticated users with media upload permissions to execute arbitrary JavaScript by bypassing MIME validation and renaming files to executable extensions. Attackers can leverage this to create backdoor accounts and upload malicious plugins, potentially leading to remote code execution. While currently unpatched, the vulnerability requires authentication and specific permissions, moderating immediate risk but warranting urgent attention for organizations using Vvveb.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 28, 2026 14:18

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Vvveb CMS for content management—particularly government agencies, educational institutions, and small-to-medium enterprises—face moderate risk. Government entities under NCA oversight and SAMA-regulated financial institutions using Vvveb for public-facing portals are most vulnerable. The vulnerability enables privilege escalation and backdoor creation, potentially compromising confidentiality and integrity of hosted content. Healthcare organizations and energy sector entities using Vvveb for internal documentation systems could face data exfiltration risks if administrative accounts are compromised.

🏢 Affected Saudi Sectors

Government and Public Administration Education and Universities Small and Medium Enterprises (SMEs) Healthcare Energy and Utilities Telecommunications Media and Publishing

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1598 - Phishing T1566 - Phishing T1547 - Boot or Logon Autostart Execution T1136 - Create Account T1133 - External Remote Services T1105 - Ingress Tool Transfer T1059 - Command and Scripting Interpreter

⚖️ Saudi Risk Score (AI)

5.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all Vvveb installations in your environment and identify version numbers

2. Restrict media upload and file rename permissions to trusted administrators only

3. Implement file upload restrictions at the web application firewall level to block .html, .js, .php extensions

4. Review access logs for suspicious file uploads or renames in the past 90 days

5. Monitor for unauthorized administrator account creation

Patching Guidance:

1. Upgrade to Vvveb 1.0.8.1 or later when available

2. If upgrade is not immediately possible, apply compensating controls below

Compensating Controls:

1. Disable media upload functionality if not actively required

2. Implement strict MIME type validation at the server level (whitelist only: image/jpeg, image/png, image/gif)

3. Store uploaded files outside the web root directory

4. Disable file rename functionality or restrict to administrators only

5. Implement Content Security Policy (CSP) headers to prevent inline script execution

6. Use X-Content-Type-Options: nosniff header to prevent MIME type sniffing

Detection Rules:

1. Monitor for file uploads with GIF89a headers followed by HTML/JavaScript content

2. Alert on file rename operations changing extensions to .html, .js, .php, .asp

3. Track creation of new administrator accounts within 24 hours of suspicious uploads

4. Monitor plugin installation activities for unauthorized additions

5. Log all media upload and rename operations with user attribution

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات Vvveb في بيئتك وتحديد أرقام الإصدارات

2. تقييد أذونات رفع الملفات وإعادة التسمية للمسؤولين الموثوقين فقط

3. تطبيق قيود رفع الملفات على جدار الحماية لحجب امتدادات .html و .js و .php

4. مراجعة سجلات الوصول للبحث عن عمليات رفع أو إعادة تسمية مريبة في آخر 90 يوماً

5. مراقبة إنشاء حسابات مسؤول غير مصرح بها

إرشادات التصحيح:

1. الترقية إلى Vvveb 1.0.8.1 أو إصدار أحدث عند توفره

2. إذا لم يكن الترقية ممكنة فوراً، طبق الضوابط البديلة أدناه

الضوابط البديلة:

1. تعطيل وظيفة رفع الملفات إذا لم تكن مطلوبة بنشاط

2. تطبيق التحقق الصارم من نوع MIME على مستوى الخادم (قائمة بيضاء فقط: image/jpeg و image/png و image/gif)

3. تخزين الملفات المرفوعة خارج دليل الويب الجذر

4. تعطيل وظيفة إعادة التسمية أو تقييدها للمسؤولين فقط

5. تطبيق رؤوس Content Security Policy (CSP) لمنع تنفيذ البرامج النصية المضمنة

6. استخدام رأس X-Content-Type-Options: nosniff لمنع تخمين نوع MIME

قواعد الكشف:

1. مراقبة عمليات رفع الملفات برؤوس GIF89a متبوعة بمحتوى HTML/JavaScript

2. تنبيهات على عمليات إعادة تسمية الملفات التي تغير الامتدادات إلى .html و .js و .php و .asp

3. تتبع إنشاء حسابات مسؤول جديدة خلال 24 ساعة من عمليات الرفع المريبة

4. مراقبة أنشطة تثبيت الملحقات للإضافات غير المصرح بها

5. تسجيل جميع عمليات رفع الملفات وإعادة التسمية مع نسبة المستخدم

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.6.1.1 - User access management and authentication A.6.2.1 - User access rights review A.7.1.1 - Physical and environmental security A.12.2.1 - Restrictions on software installation A.12.4.1 - Event logging and monitoring A.14.2.1 - Security of development and test environments

🔵 SAMA CSF

ID.AM-2 - Software inventory and asset management PR.AC-1 - Access control and user management PR.AC-4 - Access rights and permissions management DE.CM-1 - System monitoring and event detection DE.CM-3 - Activity monitoring and logging RS.MI-2 - Incident response and containment

🟡 ISO 27001:2022

A.5.1.1 - Information security policies A.6.1.1 - User access management A.6.2.1 - User access rights review A.8.1.1 - User endpoint devices A.12.2.1 - Restrictions on software installation A.12.4.1 - Event logging A.12.4.3 - Administrator and operator logging A.14.2.1 - Secure development policy

🔗 References & Sources 4

🔗

https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCIk3uzhZQgbjzAkG/

disclosure@vulncheck.com

🔗

https://github.com/givanz/Vvveb/commit/cc997d3359ea5e49a45c132f5dee3bc80fb441d7

disclosure@vulncheck.com

🔗

https://github.com/givanz/Vvveb/releases/tag/1.0.8.1

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/vvveb-stored-xss-via-media-upload-and-rename

disclosure@vulncheck.com

📊 CVSS Score

5.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionR — Required

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.4

CWECWE-79

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-04-20

Source Feed nvd

🇸🇦 Saudi Risk Score

5.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-34429

Introduce Yourself

Sign In Required