Microweber

microweber

Vendor: Microweber • 114 CVEs

CVEs (114)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-70792 1Microweber 1Microweber Feb 10, 2026 Feb 5, 2026 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it,...Show more Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.Show less
CVE-2025-70791 1Microweber 1Microweber Feb 10, 2026 Feb 5, 2026 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visi...Show more Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.Show less
CVE-2024-58289 1Microweber 1Microweber Jan 12, 2026 Dec 11, 2025 5.3 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field...Show more Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript.Show less
CVE-2025-60954 1Microweber 1Microweber Oct 28, 2025 Oct 24, 2025 N/A· v4 8.3 HIGH· v3 N/A· v2 Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwor...Show more Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwords, which can lead to account compromise, including administrative accounts.Show less
CVE-2025-51504 1Microweber 1Microweber Aug 19, 2025 Aug 1, 2025 N/A· v4 7.6 HIGH· v3 N/A· v2 Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field.
CVE-2025-51502 1Microweber 1Microweber Aug 19, 2025 Aug 1, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users.
CVE-2025-51501 1Microweber 1Microweber Aug 19, 2025 Aug 1, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript.
CVE-2025-51503 1Microweber 1Microweber Aug 6, 2025 Jul 31, 2025 N/A· v4 7.6 HIGH· v3 N/A· v2 A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, leading to arbitrary JavaScript execution in admin browsers.
CVE-2025-34076 1Microweber 1Microweber Aug 20, 2025 Jul 2, 2025 6.1 MEDIUM· v4 7.2 HIGH· v3 N/A· v2 An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/downlo...Show more An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.Show less
CVE-2025-2214 1Microweber 1Microweber Jul 9, 2025 Mar 12, 2025 5.1 MEDIUM· v4 6.1 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/modules/settings/group/website_group/index.php of the component Settings...Show more A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/modules/settings/group/website_group/index.php of the component Settings Handler. The manipulation of the argument group leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-33299 1Microweber 1Microweber Jul 3, 2025 Jan 10, 2025 N/A· v4 4.7 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
CVE-2024-33298 1Microweber 1Microweber Jul 3, 2025 Jan 10, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup
CVE-2024-33297 1Microweber 1Microweber Jul 3, 2025 Jan 10, 2025 N/A· v4 4.7 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function
CVE-2024-40101 1Microweber 1Microweber Mar 25, 2025 Aug 6, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.
CVE-2024-41381 1Microweber 1Microweber Jul 10, 2025 Aug 5, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\settings\admin.php.
CVE-2024-41380 1Microweber 1Microweber Jul 10, 2025 Aug 5, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php.
CVE-2023-6832 1Microweber 1Microweber Nov 21, 2024 Dec 15, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-48122 1Microweber 1Microweber Nov 21, 2024 Dec 8, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.
CVE-2023-6599 1Microweber 1Microweber Nov 21, 2024 Dec 8, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-6566 1Microweber 1Microweber Nov 21, 2024 Dec 7, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

12 3 4 5 6 Next