Vvveb CMS

v1.0.8.3 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 21d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

backend blog blog-engine blog-platform blogging cms

+14 more

content-management content-management-system ecommerce ecommerce-platform no-code page-builder php php-cms php7 php8 self-hosted shopping-cart web website-builder

Affected surfaces

auth rbac rce_ssrf deps

ReleasePort's take

Light signal

editorial:auto 13d

ReleasePort Layer 1 version 1.0.8.3 encrypts cart_id on the Cart page, blocking unauthorized access to cart data.

Why it matters: Patch to 1.0.8.3 immediately if your deployment handles cart sessions; unencrypted cart identifiers expose user data.

Summary

AI summary

Fixed cart page to use encrypted cart_id, preventing unauthorized cart data access.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Cart page uses encrypted cart_id to prevent unauthorized cart data access Cart page uses encrypted cart_id to prevent unauthorized cart data access Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Fixed incorrect module permission checks in admin controllers Fixed incorrect module permission checks in admin controllers Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Whitelist sort order and direction for user orders endpoint Whitelist sort order and direction for user orders endpoint Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Sanitize user display_name field to prevent injection attacks Sanitize user display_name field to prevent injection attacks Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Validate plugin uploads and prevent PHP exposure in public folder Validate plugin uploads and prevent PHP exposure in public folder Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Prevent Apache directory listing to avoid information disclosure Prevent Apache directory listing to avoid information disclosure Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Escape customer_order_id in missing order warning to prevent XSS Escape customer_order_id in missing order warning to prevent XSS Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Fixed controller recursion vulnerability causing PHP memory exhaustion Fixed controller recursion vulnerability causing PHP memory exhaustion Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	SanitizeHTML now strips JavaScript in tags with escaped entities SanitizeHTML now strips JavaScript in tags with escaped entities Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Fixed cart page to use only encrypted cart_id instead of unencrypted to avoid loading random cart data, vulnerability reported by @Mitchell45 https://github.com/givanz/Vvveb/commit/301e9b66a3b3a1cb42cb05ad1ff3cd428ed30b26
Fixed wrong module permission check for some admin controllers, vulnerability reported by @Mitchell45 https://github.com/givanz/Vvveb/commit/8d59962b5d9775264f0f05bf87ee1f514ebf7666
White list sort order and direction for /user/orders, vulnerability reported by @whuHouYF https://github.com/givanz/Vvveb/commit/e855c8572b7298901ebc249e11883eefc03a7b48
Added sanitization for user display_name field, vulnerability reported by @CyberWarrior9 https://github.com/givanz/Vvveb/commit/fefac290a8c85d3c87fe80ffed68b6c5bc50e93c
Validate plugin upload and check that no php is exposed in public folder, vulnerability reported by @CyberWarrior9 https://github.com/givanz/Vvveb/commit/04f0294350ec429e307cd31c2e777a4797c868d6
Prevent apache directory listing, vulnerability reported by @CyberWarrior9 https://github.com/givanz/Vvveb/commit/96ae04c5e4a295e281adc1d02d77444173653deb
Fixed Controller Recursion PHP Memory Exhaustion reported by @CyberWarrior9 https://github.com/givanz/Vvveb/commit/c766e84b479dcf1bd1f25a44e4b9c9fa450769c8
Added escape for customer_order_id in missing order warning message, fix for GHSA-3xwm-8f6m-cfc6 reported by @whuHouYF https://github.com/givanz/Vvveb/commit/2457d88b125430d0724978993442946e43a6dac2
Changed sanitizeHTML to strip javascript code inside tags with escaped entities, fix for GHSA-39gc-pjv5-4w4p reported by @elvinsuleymanov https://github.com/givanz/Vvveb/commit/7e02b0e1a375480bf4b45a10175f6c07f91ff409

Security Fixes

GHSA-3xwm-8f6m-cfc6 — Added escape for customer_order_id in missing order warning message
GHSA-39gc-pjv5-4w4p — sanitizeHTML now strips JavaScript code inside tags with escaped entities

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Vvveb CMS

Get notified when new releases ship.

About Vvveb CMS

Powerful and easy to use CMS to build websites, blogs or e-commerce stores.

All releases →

Related context

Related tools

Earlier breaking changes

v1.0.8.4 Removes subdir from request URI for subdir installs