CVE-2026-44826

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total — an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/givanz/Vvveb/security/advisories/GHSA-75x2-j47j-mg8j
https://github.com/givanz/Vvveb/security/advisories/GHSA-75x2-j47j-mg8j

Configurations

No configuration.

History

15 May 2026, 22:16

Type	Values Removed	Values Added
References	~~() https://github.com/givanz/Vvveb/security/advisories/GHSA-75x2-j47j-mg8j -~~	() https://github.com/givanz/Vvveb/security/advisories/GHSA-75x2-j47j-mg8j -

15 May 2026, 19:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-15 19:17

Updated : 2026-05-18 17:26

NVD link : CVE-2026-44826

Mitre link : CVE-2026-44826

CVE.ORG link : CVE-2026-44826

JSON object : View

Products Affected

No product.

CWE

CWE-1284

Improper Validation of Specified Quantity in Input

7.5 /10