MicroweberCVEs & Vulnerabilities

112 CVEs affecting Microweber products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

microweber 111whmcs 1
CVE-2022-1439KEVMEDIUMin the wild

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.

11 Apr 2026
6.1
CVSS
CVE-2025-60954HIGH

Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwords, which can lead to account compromise, including administrative accounts.

25 Oct 2025
8.3
CVSS
CVE-2025-51504HIGH

Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field.

1 Aug 2025
7.6
CVSS
CVE-2025-51502MEDIUM

Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users.

1 Aug 2025
6.1
CVSS
CVE-2025-51501MEDIUM

Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript.

1 Aug 2025
6.1
CVSS
CVE-2025-51503HIGH

A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, leading to arbitrary JavaScript execution in admin browsers.

31 Jul 2025
7.6
CVSS
CVE-2025-34076HIGH

An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.

2 Jul 2025
7.2
CVSS
CVE-2025-2214MEDIUM

A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/modules/settings/group/website_group/index.php of the component Settings Handler. The manipulation of the argument group leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

12 Mar 2025
6.1
CVSS
CVE-2024-33299MEDIUM

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users

10 Jan 2025
4.7
CVSS
CVE-2024-33298MEDIUM

Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup

10 Jan 2025
6.1
CVSS
CVE-2024-33297MEDIUM

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function

10 Jan 2025
4.7
CVSS
CVE-2024-40101MEDIUM

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.

6 Aug 2024
6.1
CVSS
CVE-2024-41381MEDIUM

microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\settings\admin.php.

5 Aug 2024
6.1
CVSS
CVE-2024-41380MEDIUM

microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php.

5 Aug 2024
6.1
CVSS
CVE-2023-6832MEDIUM

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

15 Dec 2023
4.3
CVSS
CVE-2023-48122HIGH

An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.

8 Dec 2023
7.5
CVSS
CVE-2023-6599MEDIUM

Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.

8 Dec 2023
4.3
CVSS
CVE-2023-6566MEDIUM

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

7 Dec 2023
6.5
CVSS
CVE-2023-49052HIGH

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.

30 Nov 2023
8.8
CVSS
CVE-2023-47379MEDIUM

Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality.

8 Nov 2023
5.4
CVSS
CVE-2023-5976MEDIUM

Improper Access Control in GitHub repository microweber/microweber prior to 2.0.

7 Nov 2023
4.3
CVSS
CVE-2023-5861MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.

31 Oct 2023
4.8
CVSS
CVE-2023-5318HIGH

Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.

30 Sep 2023
7.5
CVSS
CVE-2023-5244MEDIUM

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.

28 Sep 2023
6.1
CVSS
CVE-2023-3142MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.

7 Jun 2023
5.4
CVSS
CVE-2023-2239MEDIUM

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.

22 Apr 2023
6.5
CVSS
CVE-2023-2240HIGH

Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.

22 Apr 2023
8.8
CVSS
CVE-2023-2014MEDIUM

Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.

13 Apr 2023
4.8
CVSS
CVE-2023-1881MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

5 Apr 2023
5.4
CVSS
CVE-2023-1877CRITICAL

Command Injection in GitHub repository microweber/microweber prior to 1.3.3.

5 Apr 2023
9.8
CVSS
CVE-2023-1081MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

28 Feb 2023
4.8
CVSS
CVE-2021-32856MEDIUM

Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A fix was attempted in versions 1.2.9 and 1.2.12, but it is incomplete.

21 Feb 2023
6.1
CVSS
CVE-2023-0608MEDIUM

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.

1 Feb 2023
5.4
CVSS
CVE-2022-4732HIGH

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.

27 Dec 2022
7.2
CVSS
CVE-2022-4647MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.

22 Dec 2022
6.1
CVSS
CVE-2022-4617MEDIUM

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2.

21 Dec 2022
6.1
CVSS
CVE-2022-0698MEDIUM

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.

25 Nov 2022
6.1
CVSS
CVE-2022-33012HIGH

Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.

22 Nov 2022
8.8
CVSS
CVE-2022-3245MEDIUM

HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.

20 Sep 2022
6.1
CVSS
CVE-2022-3242MEDIUM

Code Injection in GitHub repository microweber/microweber prior to 1.3.2.

20 Sep 2022
6.1
CVSS
CVE-2022-2777MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.

11 Aug 2022
5.4
CVSS
CVE-2022-2470MEDIUM

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

22 Jul 2022
6.1
CVSS
CVE-2022-2495MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.

22 Jul 2022
4.8
CVSS
CVE-2021-36461HIGH

An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.

15 Jul 2022
8.8
CVSS
CVE-2022-2368CRITICAL

Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.

11 Jul 2022
9.8
CVSS
CVE-2022-2353MEDIUM

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.

9 Jul 2022
6.1
CVSS
CVE-2022-2300MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

4 Jul 2022
5.4
CVSS
CVE-2022-2280MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

1 Jul 2022
5.4
CVSS
← PrevPage 1 / 3Next →