Is there a public PoC exploit available for EUVD-2026-36674?

Yes, a public proof-of-concept exploit is available for EUVD-2026-36674. Prioritise patching immediately. EPSS: 0.5%.

Microweber CMS EUVD-2026-36674

Q: What is the CVSS score of EUVD-2026-36674?

EUVD-2026-36674 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.5%.

| CVE-2026-12198 MEDIUM

Path Traversal (CWE-22)

2026-06-15 VulDB

GHSA-vv4x-qcpq-wgrg

Path Traversal Microweber

5.5

CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

6.5 MEDIUM

No-session endpoint requires no authentication (PR:N, AV:N); path traversal yields limited file read/write with no availability impact and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 00:26 vuln.today

CVSS changed

Jun 15, 2026 - 00:22 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

DescriptionCVE.org

A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in Microweber CMS up to version 2.0.20 exposes the unauthenticated /api_nosession/thumbnail_img endpoint to file system manipulation via the cache_path_relative parameter of the userfiles_path function. Remote, unauthenticated attackers can traverse outside the intended directory to read - and potentially write - files accessible to the web server process. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify internet-facing Microweber instance

Delivery

Send unauthenticated HTTP request to /api_nosession/thumbnail_img

Exploit

Inject traversal sequences into cache_path_relative parameter

Execution

userfiles_path resolves path outside intended directory

Impact

Read or write files accessible to web server process