CVE-2026-45800: Vvveb CMS SQL Injection Vulnerability

CVE-2026-45800 Overview

CVE-2026-45800 is an authenticated SQL injection vulnerability in Vvveb CMS, an open-source content management system with page builder functionality for websites, blogs, and ecommerce stores. The flaw affects versions prior to 1.0.8.3 and resides in the frontend user order history page at /user/orders. Attackers with valid frontend user credentials can manipulate the order_by and direction URL parameters, which are concatenated directly into the SQL ORDER BY clause in OrderSQL::getAll() without input validation or parameterization. The vulnerability is categorized as [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

An authenticated attacker can extract sensitive database contents, including customer orders, credentials, and configuration data, by injecting arbitrary SQL through the order history endpoint.

Affected Products

• Vvveb CMS versions prior to 1.0.8.3
• Frontend user order history component (/user/orders)
• OrderSQL::getAll() database query function

Discovery Timeline

• 2026-05-15 - CVE-2026-45800 published to NVD
• 2026-05-18 - Last updated in NVD database

Technical Details for CVE-2026-45800

Vulnerability Analysis

The vulnerability exists in Vvveb CMS frontend code that handles authenticated order history requests. When a logged-in user visits /user/orders, the application reads the order_by and direction parameters from the URL query string. These values flow through the Orders component and reach OrderSQL::getAll(), where they are concatenated into the SQL statement that sorts order records.

Because the application does not enforce a whitelist of valid column names or sort directions, attacker-supplied SQL fragments become part of the executed query. The ORDER BY clause is a known sink for injection because many query builders skip parameterization for identifier positions. An attacker can chain subqueries, use conditional expressions, or leverage time-based payloads to exfiltrate database contents.

Root Cause

The root cause is unsafe string concatenation of HTTP request parameters into a SQL ORDER BY clause. The Orders component trusts client-supplied values for sort column and direction. No allowlist validates that order_by matches a known column, and no check restricts direction to ASC or DESC. Parameter binding is not applied because prepared statements typically do not bind identifiers.

Attack Vector

Exploitation requires only a low-privileged frontend account, which on most Vvveb deployments can be self-registered. The attacker authenticates, then issues a crafted request to /user/orders with malicious order_by or direction query parameters. The injected SQL executes with the database privileges of the CMS, enabling extraction of customer records, password hashes, and store configuration. Time-based blind techniques allow data retrieval even when results are not directly reflected in the response.

No verified public proof-of-concept code is available. See the GitHub Security Advisory for vendor-provided technical detail.

Detection Methods for CVE-2026-45800

Indicators of Compromise

• HTTP requests to /user/orders containing SQL keywords such as SELECT, UNION, SLEEP, BENCHMARK, or IF( in the order_by or direction parameters.
• Unusually long response times on /user/orders requests, indicating time-based blind SQL injection probing.
• Database error messages referencing OrderSQL::getAll() or malformed ORDER BY clauses appearing in application logs.
• Authenticated sessions from newly registered low-privilege accounts issuing repeated /user/orders requests with varying query parameters.

Detection Strategies

• Inspect web server and application logs for non-alphanumeric characters or SQL syntax in the order_by and direction parameters of order history requests.
• Deploy web application firewall rules that flag SQL metacharacters and keywords in query string parameters destined for /user/orders.
• Enable database query logging and alert on ORDER BY clauses containing subqueries, comments, or conditional functions.

Monitoring Recommendations

• Correlate authentication events with subsequent order history requests to identify reconnaissance from freshly created accounts.
• Monitor for spikes in HTTP 500 responses or database exceptions originating from the Orders component.
• Track outbound data volume from the database server to detect bulk extraction following injection.

How to Mitigate CVE-2026-45800

Immediate Actions Required

• Upgrade Vvveb CMS to version 1.0.8.3 or later, which contains the official fix.
• Audit recent /user/orders access logs for evidence of exploitation, focusing on suspicious order_by and direction values.
• Rotate database credentials and customer passwords if injection activity is identified.
• Restrict or disable self-registration on internet-facing Vvveb deployments until patched.

Patch Information

The vendor released a fix in Vvveb version 1.0.8.3. The patch introduces validation in OrderSQL::getAll() so that order_by and direction parameters are constrained to known-safe values before being incorporated into the SQL query. Refer to the Vvveb GitHub Security Advisory GHSA-vwcx-w4fq-9769 for release details.

Workarounds

• Place the Vvveb application behind a web application firewall with rules blocking SQL syntax in order_by and direction query parameters.
• Temporarily disable access to /user/orders at the reverse proxy layer until the patch is applied.
• Apply least-privilege database credentials to the CMS service account to limit the impact of successful injection.

# Example nginx rule to block SQL metacharacters in order history parameters
location /user/orders {
    if ($arg_order_by ~* "[^A-Za-z0-9_]") { return 403; }
    if ($arg_direction !~* "^(asc|desc)?$") { return 403; }
    proxy_pass http://vvveb_backend;
}