Skip to content

Instantly share code, notes, and snippets.

@KhanMarshaI

KhanMarshaI/Vvveb-01-Image_Metadata_Leak.md Secret

Last active September 18, 2025 08:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save KhanMarshaI/9a1a5b72ff7a0a9d180ca77d26814bc7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save KhanMarshaI/9a1a5b72ff7a0a9d180ca77d26814bc7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Vvveb-01-Image_Metadata_Leak.md

Summary

Vvveb fails to strip metadata of images potentially exposing PII of users.

Credits

0xHamy & KhanMarshaI

Affected Endpoints

  • Every image upload/view functionality of vvveb.

Steps to reproduce

  • Get an exif sample image.
  • Upload it anywhere on Vvveb (product image, post/page images, front-end assets, profile picture).
  • Download the uploaded image.
  • View metadata on https://jimpl.com

Proof Of Concept

  • Create a test product: Product Creation
  • As an unauthenticated user view the product (and download the image): Product View
  • After downloading the image upload it to the exif-viewer: Exif Viewer
  • All metadata of the image is still present.

Affected Version

  • Vvveb 1.0.7.2 (Latest)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment