## https://sploitus.com/exploit?id=D652F34A-857A-50BB-B86C-F88342891D8C
# CVE-2026-5615 โ VvvebJs Stored Cross-Site Scripting (RXSS)
## Overview
This repository contains a Python proof-of-concept (PoC) script demonstrating a **Stored Cross-Site Scripting (RXSS)** vulnerability affecting **VvvebJs โ ๏ธ This project is intended strictly for **authorized security testing**, **educational research**, and **defensive validation** only.
---
## Vulnerability Information
* **CVE ID:** CVE-2026-5615
* **Affected Software:** VvvebJs
* **Affected Versions:** targets.txt
```
---
## Output
### Successful Targets
Successful results are saved to:
```txt
CodeB0ss-CVE-2026-5615_Exploited.txt
```
### Terminal Status Messages
| Status | Meaning |
| ---------------- | ------------------------- |
| `Exploited` | Target appears vulnerable |
| `Not_Vulnerable` | Upload validation failed |
| `Cant_Access` | Endpoint inaccessible |
| `Time0ut` | Request timed out |
---
## How It Works
The script:
1. Reads target URLs from a file
2. Attempts to upload a crafted SVG file
3. Sends the payload using multipart form-data
4. Checks whether the uploaded SVG becomes publicly accessible
5. Verifies payload reflection and upload success
---
## Disclaimer
This repository is provided for:
* Security research
* Educational purposes
* Authorized penetration testing
* Defensive security assessments
Do not use this project against systems you do not own or have explicit permission to test.
The author assumes no responsibility for misuse or damages caused by this project.
---
## Mitigation Recommendations
Website administrators should:
* Upgrade VvvebJs to a patched version
* Disable dangerous SVG uploads
* Sanitize uploaded SVG content
* Enforce strict MIME type validation
* Deploy Content Security Policy (CSP)
* Monitor upload directories for suspicious files
* Restrict public access to uploaded assets where possible
---
## Educational Purpose Statement
This proof-of-concept was created to help:
* Security researchers
* Penetration testers
* Developers
* Blue teams
* System administrators
understand the risks associated with insecure file upload handling and stored XSS vulnerabilities.
---
## References
* CVE Database
* OWASP XSS Prevention Cheat Sheet
* OWASP File Upload Security Guidelines
* VvvebJs Security Advisories
---
## Author
Security Research / Educational Project