CVE-2026-44826
Published: 15 May 2026
Summary
CVE-2026-44826 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
NVD Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative…
more
integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total — an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)