CVE-2026-45622

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting XSS issue in the public product return form in Vvveb CMS. The customerorderid POST parameter is inserted into the...

EUVD-2026-30583

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting XSS issue in the public product return form in Vvveb CMS. The customerorderid POST parameter is inserted into the...

CVE-2026-45622

Vvveb CMS (version prior to 1.0.8.3) is affected by an unauthenticated reflected XSS in the public product return form. The issue arises from inserting the customer_order_id into the error message without HTML escaping, allowing attacker-controlled HTML/JavaScript to execute in the submitting use...

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Unauthenticated users can view completed guest orders by Order ID GHSL-2026-029 The OrdersControllershow action permits viewing completed guest orders by order number alone, without requiring the associated order token. Order lookup without enforcing token requirement in OrdersControllershow: rub...

Shopify: Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation

It came to my attention that the Shopify Chat application allows a customer to retrieve its order status by only providing the order email and number. Noticing that it results in being provided the order status page link, I started playing a bit with both parameters and I found out that it is...