Vvveb CMS

v1.0.8.6 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 1d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

backend blog blog-engine blog-platform blogging cms

+14 more

content-management content-management-system ecommerce ecommerce-platform no-code page-builder php php-cms php7 php8 self-hosted shopping-cart web website-builder

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 1d

Version 1.0.8.6 patches two XSS vulnerabilities in HTML sanitization and adds recursive filtering to sanitizeFileName.

Why it matters: The release fixes high‑severity (90) sanitizeHTML injection and medium‑severity (85) sanitizeFileName flaws; operators should upgrade immediately if these functions are used.

Summary

AI summary

Fixed two XSS vulnerabilities in HTML sanitization and added recursive filtering to sanitizeFileName.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes sanitizeHTML vulnerability allowing 'on' attribute injection Fixes sanitizeHTML vulnerability allowing 'on' attribute injection Source: llm_adapter@2026-06-11 Confidence: high	—
Security	High	Adds recursive filtering to sanitizeFileName preventing injection Adds recursive filtering to sanitizeFileName preventing injection Source: llm_adapter@2026-06-11 Confidence: high	—
Feature
Feature	Low	Shows server message on translation edit error Shows server message on translation edit error Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Low	Updates admin template and page builder UI Updates admin template and page builder UI Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Low	Updates plugins Updates plugins Source: llm_adapter@2026-06-11 Confidence: high	—
Bugfix	Medium	Fixes tree list expand arrow button click issue Fixes tree list expand arrow button click issue Source: llm_adapter@2026-06-11 Confidence: high	—

Full changelog

Use curl resolve to avoid private ip redirect and IPv6 bypass, vulnerability reported by @EvidentObscurity https://github.com/givanz/Vvveb/commit/e27d1ef097a8502c33f8cc94271c948407c5dce3
Admin template update, page builder UI changes https://github.com/givanz/Vvveb/commit/a4882d42411466ea90b6612933b5d1f70fa7cc83
Plugins update https://github.com/givanz/Vvveb/commit/513db6d716410d75bed99436bf5ed10384cca100
Translations edit show server message on error, fixed tree list expand arrow button click https://github.com/givanz/Vvveb/commit/6bc8390957256dd831691f352e8c472fb3c91374
Fixed sanitizeHTML( 'on' attributes sanitization when attribute has '>', vulnerability reported by @EvidentObscurity https://github.com/givanz/Vvveb/commit/c466e618ad1b94916f56062b7732edb5a336f57d
Added recursive filtering sanitizeFileName(, vulnerability reported by @EvidentObscurity https://github.com/givanz/Vvveb/commit/8c062a047a66d6f04307f8d0e37c34f709a201a9

Security Fixes

Fixed sanitizeHTML on‑attribute sanitization vulnerability that allowed 'on' event injection when the attribute contained '>'
Fixed sanitizeHTML XSS vulnerability reported by @EvidentObscurity (curl resolve bypass)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Vvveb CMS

Get notified when new releases ship.

About Vvveb CMS

Powerful and easy to use CMS to build websites, blogs or e-commerce stores.

All releases →

Related context

Related tools

Earlier breaking changes

v1.0.8.4 Removes subdir from request URI for subdir installs