CVE-2026-44826
7.5 HIGHVvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores
Published: 2026-05-15 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- CWE
- CWE-1284
Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total — an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49110 — Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions (7.5 HIGH)
- CVE-2026-49078 — Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions (7.5 HIGH)
- CVE-2026-45441 — Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions (7.5 HIGH)
- CVE-2026-42657 — Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions (5.3 MEDIUM)
- CVE-2026-12059 — The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers ... (8.8 HIGH)