Vvveb CMS Vulnerability (CVE-2026-46408) Allows Cart Hijacking
The National Vulnerability Database (NVD) has detailed CVE-2026-46408, a high-severity vulnerability (CVSS 7.6) affecting Vvveb CMS versions prior to 1.0.8.3. This flaw, categorized as CWE-639 (Improper Authorization), allows a logged-in attacker to hijack another user’s shopping cart data during the checkout process.
Specifically, the checkout endpoint in Vvveb CMS accepts a user-controlled cart_id parameter. Crucially, the system fails to verify ownership of this cart_id before proceeding with the payment flow. This means an attacker can simply input a known cart_id belonging to another user and proceed with their items, potentially leading to unauthorized purchases or data exposure. The vulnerability is resolved in Vvveb CMS version 1.0.8.3.
This isn’t just about free groceries; it’s about session integrity and user trust. An attacker exploiting this could manipulate orders, expose user preferences, or even trigger refunds to their own accounts if the payment gateway is sufficiently permissive. It’s a direct route to customer dissatisfaction and potential financial fraud, eroding the very foundation of an e-commerce platform.
What This Means For You
- If your organization uses Vvveb CMS, you need to immediately verify your version. If you are running anything older than 1.0.8.3, patch it without delay. Audit your e-commerce logs for any unusual checkout activity or abandoned carts with suspicious `cart_id` values, as this could indicate attempted exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Vvveb CMS Cart Hijacking Attempt (CVE-2026-46408)
title: Vvveb CMS Cart Hijacking Attempt (CVE-2026-46408)
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-46408 in Vvveb CMS. This rule looks for POST requests to the '/checkout' endpoint that include a 'cart_id' parameter, indicating a potential attempt to hijack another user's cart by reusing a cart ID without proper ownership verification. This is the primary indicator of the vulnerability being exploited.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-46408/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/checkout'
cs-uri-query|contains:
- 'cart_id='
cs-method|exact:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-46408 | Auth Bypass | Vvveb CMS < 1.0.8.3 |
| CVE-2026-46408 | Auth Bypass | Vvveb CMS checkout endpoint |
| CVE-2026-46408 | Auth Bypass | Vvveb CMS checkout endpoint accepts user-controlled cart_id without ownership verification |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...
Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks
CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...