Skip to main content

Microweber

94 CVEs product

Monthly

CVE-2026-12198 MEDIUM POC This Month

Path traversal in Microweber CMS up to version 2.0.20 exposes the unauthenticated `/api_nosession/thumbnail_img` endpoint to file system manipulation via the `cache_path_relative` parameter of the `userfiles_path` function. Remote, unauthenticated attackers can traverse outside the intended directory to read - and potentially write - files accessible to the web server process. A public proof-of-concept exploit is available and the vendor did not respond to responsible disclosure, meaning no patch exists at time of analysis.

Path Traversal Microweber
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2025-70792 PHP MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. [CVSS 6.1 MEDIUM]

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-70791 PHP MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. [CVSS 6.1 MEDIUM]

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-51504 PHP HIGH POC This Month

Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-51502 PHP MEDIUM POC This Month

Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-51501 PHP MEDIUM POC This Month

Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-34076 PHP HIGH POC PATCH THREAT Act Now

An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.

Path Traversal Microweber
NVD GitHub
CVSS 3.1
7.2
EPSS
21.3%
CVE-2025-2214 PHP MEDIUM POC This Month

A vulnerability was found in Microweber 2.0.19. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Microweber
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2024-33299 PHP MEDIUM POC Monitor

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Microweber
NVD GitHub
CVSS 3.1
4.7
EPSS
1.1%
CVE-2024-33298 PHP MEDIUM POC This Month

Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2024-33297 PHP MEDIUM POC Monitor

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Microweber
NVD GitHub
CVSS 3.1
4.7
EPSS
1.0%
CVE-2024-40101 PHP MEDIUM PATCH This Month

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2024-41381 PHP MEDIUM POC This Month

microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\settings\admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-41380 PHP MEDIUM POC This Month

microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-6832 PHP MEDIUM POC PATCH This Month

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-48122 PHP HIGH POC PATCH This Week

An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-6599 PHP MEDIUM POC PATCH This Month

Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-6566 PHP MEDIUM POC PATCH This Month

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-49052 PHP HIGH POC This Week

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Microweber
NVD GitHub
CVSS 3.1
8.8
EPSS
2.4%
CVE-2023-47379 PHP MEDIUM PATCH This Month

Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

File Upload XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-5976 PHP MEDIUM POC PATCH This Month

Improper Access Control in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Microweber
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-5861 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-5318 PHP HIGH PATCH This Week

Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Microweber
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-5244 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2023-3142 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-2239 PHP MEDIUM PATCH This Month

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Microweber
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-2240 PHP HIGH PATCH This Week

Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Microweber
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-2014 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.5%
CVE-2023-1881 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-1877 PHP CRITICAL POC PATCH Act Now

Command Injection in GitHub repository microweber/microweber prior to 1.3.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Microweber
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2023-1081 PHP MEDIUM PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity.

XSS Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-0608 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-4732 PHP HIGH POC PATCH THREAT This Week

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Microweber
NVD GitHub
CVSS 3.1
7.2
EPSS
38.2%
CVE-2022-4647 PHP MEDIUM PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-4617 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-0698 PHP MEDIUM POC This Month

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2022-33012 PHP HIGH POC This Week

Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Microweber
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2022-3245 PHP MEDIUM POC PATCH This Month

HTML injection attack is closely related to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE XSS Code Injection Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-3242 PHP MEDIUM POC PATCH This Month

Code Injection in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
1.4%
CVE-2022-2777 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-2470 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-2495 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-2368 PHP CRITICAL POC PATCH Act Now

Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Microweber
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-2353 PHP MEDIUM POC PATCH This Month

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-2300 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-2280 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-2252 PHP MEDIUM POC PATCH This Month

Open Redirect in GitHub repository microweber/microweber prior to 1.2.19. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Open Redirect Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-2174 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
2.8%
CVE-2022-2130 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
2.9%
CVE-2022-1631 PHP HIGH POC PATCH This Week

Users Account Pre-Takeover or Users Account Takeover. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Microweber
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
9.0%
CVE-2022-1584 PHP MEDIUM POC PATCH This Month

Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-1555 PHP MEDIUM POC PATCH This Month

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
1.2%
CVE-2022-1504 PHP MEDIUM POC PATCH This Month

XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2022-1439 PHP MEDIUM POC PATCH This Month

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
3.3%
CVE-2022-1036 PHP HIGH POC PATCH This Week

Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Microweber
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-0968 PHP MEDIUM POC PATCH This Month

The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Integer Overflow Microweber
NVD GitHub
CVSS 3.1
5.5
EPSS
3.7%
CVE-2022-0963 PHP MEDIUM POC PATCH This Month

Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
1.9%
CVE-2022-0961 PHP MEDIUM POC PATCH This Month

The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Integer Overflow Microweber
NVD GitHub
CVSS 3.1
5.5
EPSS
1.0%
CVE-2022-0954 PHP MEDIUM POC PATCH This Month

Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
3.2%
CVE-2022-0930 PHP MEDIUM POC PATCH This Month

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS File Upload Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.9%
CVE-2022-0929 PHP MEDIUM POC PATCH This Month

XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-0926 PHP MEDIUM POC PATCH This Month

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS File Upload Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.8%
CVE-2022-0921 PHP MEDIUM POC PATCH This Month

Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available.

RCE Code Injection Microweber
NVD GitHub
CVSS 3.1
6.7
EPSS
2.1%
CVE-2022-0928 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
2.4%
CVE-2022-0913 PHP HIGH POC PATCH This Week

Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Microweber
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-0912 PHP MEDIUM POC PATCH This Month

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-0906 PHP MEDIUM POC PATCH This Month

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS File Upload Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-0895 PHP CRITICAL POC PATCH Act Now

Static Code Injection in GitHub repository microweber/microweber prior to 1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Microweber
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0896 PHP HIGH POC PATCH This Week

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Ssti Information Disclosure Microweber
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-0777 PHP HIGH POC PATCH This Week

Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-0723 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2022-0763 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-0762 PHP MEDIUM POC PATCH This Month

Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Microweber
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2022-0724 PHP MEDIUM POC PATCH This Month

Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
6.5
EPSS
1.3%
CVE-2022-0721 PHP MEDIUM POC PATCH This Month

Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2022-0719 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2022-0688 PHP MEDIUM POC PATCH This Month

Business Logic Errors in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
4.9
EPSS
0.9%
CVE-2022-0690 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-0689 PHP MEDIUM POC PATCH This Month

Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2022-0678 PHP MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
2.3%
CVE-2022-0666 PHP HIGH POC PATCH THREAT This Week

CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Microweber
NVD GitHub
CVSS 3.1
7.5
EPSS
44.3%
CVE-2022-0660 PHP HIGH POC PATCH This Week

Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
7.5
EPSS
6.9%
CVE-2022-0638 PHP MEDIUM PATCH This Month

Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Microweber
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2021-33988 PHP MEDIUM POC PATCH This Month

Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-23140 HIGH This Week

Microweber 1.1.18 is affected by insufficient session expiration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microweber
NVD GitHub
CVSS 3.1
8.1
EPSS
1.0%
CVE-2020-23139 MEDIUM This Month

Microweber 1.1.18 is affected by broken authentication and session management. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microweber
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-23138 CRITICAL Act Now

An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload PHP Microweber
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-23136 PHP MEDIUM This Month

Microweber v1.1.18 is affected by no session expiry after log-out. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Microweber
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-13405 PHP HIGH POC PATCH THREAT This Week

userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass PHP Microweber
NVD GitHub
CVSS 3.1
7.5
EPSS
13.7%
CVE-2020-13241 PHP HIGH POC This Week

Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that the file extension (used with the Add Image option on the Edit User. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

File Upload Microweber
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Path traversal in Microweber CMS up to version 2.0.20 exposes the unauthenticated `/api_nosession/thumbnail_img` endpoint to file system manipulation via the `cache_path_relative` parameter of the `userfiles_path` function. Remote, unauthenticated attackers can traverse outside the intended directory to read - and potentially write - files accessible to the web server process. A public proof-of-concept exploit is available and the vendor did not respond to responsible disclosure, meaning no patch exists at time of analysis.

Path Traversal Microweber
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. [CVSS 6.1 MEDIUM]

XSS Microweber
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. [CVSS 6.1 MEDIUM]

XSS Microweber
NVD GitHub
EPSS 0% CVSS 7.6
HIGH POC This Month

Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
EPSS 21% CVSS 7.2
HIGH POC PATCH THREAT Act Now

An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.

Path Traversal Microweber
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability was found in Microweber 2.0.19. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Microweber
NVD GitHub VulDB
EPSS 1% CVSS 4.7
MEDIUM POC Monitor

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Microweber
NVD GitHub
EPSS 1% CVSS 4.7
MEDIUM POC Monitor

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Microweber
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\settings\admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Microweber
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Microweber
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Microweber
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Microweber
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

File Upload XSS Microweber
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Improper Access Control in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Microweber
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Microweber
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Microweber
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Microweber
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Command Injection in GitHub repository microweber/microweber prior to 1.3.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Microweber
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 38% CVSS 7.2
HIGH POC PATCH THREAT This Week

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Microweber
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

HTML injection attack is closely related to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE XSS Code Injection +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Code Injection in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Microweber
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Microweber
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Open Redirect in GitHub repository microweber/microweber prior to 1.2.19. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Open Redirect Microweber
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 9% CVSS 8.8
HIGH POC PATCH This Week

Users Account Pre-Takeover or Users Account Takeover. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Microweber
NVD GitHub Exploit-DB
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Microweber
NVD GitHub
EPSS 4% CVSS 5.5
MEDIUM POC PATCH This Month

The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Integer Overflow Microweber
NVD GitHub
EPSS 2% CVSS 5.4
MEDIUM POC PATCH This Month

Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Integer Overflow Microweber
NVD GitHub
EPSS 3% CVSS 5.4
MEDIUM POC PATCH This Month

Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS File Upload Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS File Upload Microweber
NVD GitHub
EPSS 2% CVSS 6.7
MEDIUM POC PATCH This Month

Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available.

RCE Code Injection Microweber
NVD GitHub
EPSS 2% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Microweber
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload Microweber
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS File Upload Microweber
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Static Code Injection in GitHub repository microweber/microweber prior to 1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Microweber
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Ssti Information Disclosure Microweber
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Microweber
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC PATCH This Month

Business Logic Errors in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microweber
NVD GitHub
EPSS 44% CVSS 7.5
HIGH POC PATCH THREAT This Week

CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Microweber
NVD GitHub
EPSS 7% CVSS 7.5
HIGH POC PATCH This Week

Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Microweber
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Microweber
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Microweber 1.1.18 is affected by insufficient session expiration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microweber
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Microweber 1.1.18 is affected by broken authentication and session management. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microweber
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload PHP Microweber
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Microweber v1.1.18 is affected by no session expiry after log-out. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Microweber
NVD GitHub VulDB
EPSS 14% CVSS 7.5
HIGH POC PATCH THREAT This Week

userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass PHP Microweber
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that the file extension (used with the Add Image option on the Edit User. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

File Upload Microweber
NVD GitHub
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy