Home/Product/microweber
Product

microweber

115 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-70792
all versions
Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "
6.1MEDIUM
 CVE-2025-70791
all versions
Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "
6.1MEDIUM
 CVE-2024-58289
all versions
Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scr
5.4MEDIUM
 CVE-2025-60954
all versions
Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during p
8.3HIGH
 CVE-2025-51504
all versions
Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field.
7.6HIGH
 CVE-2025-51502
all versions
Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrar
6.1MEDIUM
 CVE-2025-51501
all versions
Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows
6.1MEDIUM
 CVE-2025-51503
all versions
A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user pro
7.6HIGH
 CVE-2025-34076
<= 1.2.11
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup manag
7.2HIGH
 CVE-2025-2214
all versions
A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of th
3.5LOW
 CVE-2024-33299
<= 2.0.9
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and
4.7MEDIUM
 CVE-2024-33298
<= 2.0.9
Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the cre
6.1MEDIUM
 CVE-2024-33297
<= 2.0.9
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name
4.7MEDIUM
 CVE-2024-40101
<= 2.0.15
A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated
6.1MEDIUM
 CVE-2024-41381
all versions
microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\settings\admin.php.
6.1MEDIUM
 CVE-2024-41380
all versions
microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagg
6.1MEDIUM
 CVE-2023-6832
< 2.0
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
4.3MEDIUM
 CVE-2023-48122
>= 2.0.1 and < 2.0.4
An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET meth
7.5HIGH
 CVE-2023-6599
< 2.0.0
Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.
4.3MEDIUM
 CVE-2023-6566
< 2.0.0
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
6.5MEDIUM
 CVE-2023-49052
all versions
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the fil
8.8HIGH
 CVE-2023-47379
all versions
Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality.
5.4MEDIUM
 CVE-2023-5976
< 2.0.0
Improper Access Control in GitHub repository microweber/microweber prior to 2.0.
4.3MEDIUM
 CVE-2023-5861
< 2.0.0
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
4.8MEDIUM
 CVE-2023-5318
< 2.0
Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.
7.5HIGH
 CVE-2023-5244
< 2.0
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.
6.1MEDIUM
 CVE-2023-3142
< 2.0
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
5.4MEDIUM
 CVE-2023-2239
< 1.3.4
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.
6.5MEDIUM
 CVE-2023-2240
< 1.3.4
Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.
8.8HIGH
 CVE-2023-2014
< 1.3.3
Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.
4.8MEDIUM
 CVE-2023-1881
< 1.3.3
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
5.4MEDIUM
 CVE-2023-1877
< 1.3.3
Command Injection in GitHub repository microweber/microweber prior to 1.3.3.
9.8CRITICAL
 CVE-2023-1081
<= 1.3.2
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
4.8MEDIUM
 CVE-2021-32856
<= 1.2.12
Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-past
6.1MEDIUM
 CVE-2023-0608
< 1.3.2
Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.
5.4MEDIUM
 CVE-2022-4732
<= 1.3.1
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
7.2HIGH
 CVE-2022-4647
<= 1.3.1
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.
6.1MEDIUM
 CVE-2022-4617
<= 1.3.1
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2.
6.1MEDIUM
 CVE-2022-0698
all versions
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.
6.1MEDIUM
 CVE-2022-33012
all versions
Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.
8.8HIGH
 CVE-2022-3245
< 1.3.2
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the n
6.1MEDIUM
 CVE-2022-3242
< 1.3.2
Code Injection in GitHub repository microweber/microweber prior to 1.3.2.
6.1MEDIUM
 CVE-2022-2777
< 1.3.1
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.
5.4MEDIUM
 CVE-2022-2470
< 1.2.21
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.
6.1MEDIUM
 CVE-2022-2495
< 1.2.21
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.
4.8MEDIUM
 CVE-2021-36461
all versions
An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Pictur
8.8HIGH
 CVE-2022-2368
< 1.2.20
Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.
6.5MEDIUM
 CVE-2022-2353
< 1.2.20
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-sit
6.1MEDIUM
 CVE-2022-2300
< 1.2.19
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
5.4MEDIUM
 CVE-2022-2280
< 1.2.19
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
5.4MEDIUM
 CVE-2022-2252
< 1.2.19
Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.
6.1MEDIUM
 CVE-2022-2174
< 1.2.18
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.
6.1MEDIUM
 CVE-2022-2130
< 1.2.17
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.
6.1MEDIUM
 CVE-2022-1631
< 1.2.15
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account T
8.8HIGH
 CVE-2022-1584
< 1.2.16
Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim
6.1MEDIUM
 CVE-2022-1555
< 1.2.16
DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface webs
6.1MEDIUM
 CVE-2022-1504
< 1.2.15
XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.
6.1MEDIUM
 CVE-2022-1439
< 1.2.15
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary Ja
6.1MEDIUM
 CVE-2022-1036
< 1.2.12
Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microwe
7.5HIGH
 CVE-2022-0968
< 1.2.12
The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to ca
5.5MEDIUM
 CVE-2022-0963
< 1.2.12
Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
5.4MEDIUM
 CVE-2022-0961
< 1.2.12
The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a
5.5MEDIUM
 CVE-2022-0954
< 1.2.11
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops'
5.4MEDIUM
 CVE-2022-0930
< 1.2.12
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
4.8MEDIUM
 CVE-2022-0929
< 1.2.11
XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.
6.1MEDIUM
 CVE-2022-0926
< 1.2.12
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
4.8MEDIUM
 CVE-2022-0921
< 1.2.12
Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.
6.7MEDIUM
 CVE-2022-0928
<= 1.2.11
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.
5.4MEDIUM
 CVE-2022-0913
<= 1.2.11
Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3.
7.5HIGH
 CVE-2022-0912
< 1.2.11
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.
4.8MEDIUM
 CVE-2022-0906
< 1.1.2
Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.
4.8MEDIUM
 CVE-2022-0895
< 1.3
Static Code Injection in GitHub repository microweber/microweber prior to 1.3.
9.8CRITICAL
 CVE-2022-0896
< 1.3
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.
8.8HIGH
 CVE-2022-0855
< 0.0.4
Improper Resolution of Path Equivalence in GitHub repository microweber-dev/whmcs_plugin prior to 0.0.4.
6.1MEDIUM
 CVE-2022-0777
< 1.3
Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.
7.5HIGH
 CVE-2022-0723
< 1.2.11
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11.
5.4MEDIUM
 CVE-2022-0763
< 1.3
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.
4.8MEDIUM
 CVE-2022-0762
< 1.3
Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.
5.5MEDIUM
 CVE-2022-0724
< 1.3
Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.
6.5MEDIUM
 CVE-2022-0721
< 1.3
Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.
6.5MEDIUM
 CVE-2022-0719
< 1.3
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.
5.4MEDIUM
 CVE-2022-0688
< 1.2.11
Business Logic Errors in Packagist microweber/microweber prior to 1.2.11.
4.9MEDIUM
 CVE-2022-0690
< 1.2.11
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
6.1MEDIUM
 CVE-2022-0689
< 1.2.11
Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.
5.3MEDIUM
 CVE-2022-0678
< 1.2.11
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
6.1MEDIUM
 CVE-2022-0666
< 1.2.11
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/micr
7.5HIGH
 CVE-2022-0660
< 1.2.11
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
7.5HIGH
 CVE-2022-0638
< 1.2.11
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
4.3MEDIUM
 CVE-2022-0597
< 1.2.11
Open Redirect in Packagist microweber/microweber prior to 1.2.11.
6.1MEDIUM
 CVE-2022-0596
< 1.2.11
Improper Validation of Specified Quantity in Input in Packagist microweber/microweber prior to 1.2.11.
4.3MEDIUM
 CVE-2022-0560
< 1.2.11
Open Redirect in Packagist microweber/microweber prior to 1.2.11.
6.1MEDIUM
 CVE-2022-0557
< 1.2.11
OS Command Injection in Packagist microweber/microweber prior to 1.2.11.
7.2HIGH
 CVE-2022-0558
< 1.2.11
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
5.4MEDIUM
 CVE-2022-0506
< 1.2.11
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
5.4MEDIUM
 CVE-2022-0505
< 1.2.11
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
6.5MEDIUM
 CVE-2022-0504
< 1.2.11
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
6.5MEDIUM
 CVE-2022-0379
< 1.2.11
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
5.4MEDIUM
 CVE-2022-0378
< 1.2.11
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
5.4MEDIUM
 CVE-2022-0282
<= 1.2.10
Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.
4.3MEDIUM
 CVE-2022-0281
<= 1.2.10
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
7.5HIGH
 CVE-2022-0278
< 1.2.11
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
5.4MEDIUM
 CVE-2022-0277
<= 1.2.10
Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.
6.5MEDIUM
 CVE-2021-33988
all versions
Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user exec
6.1MEDIUM
 CVE-2020-28337
<= 1.1.20
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote
7.2HIGH
 CVE-2020-23140
all versions
Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes e
8.1HIGH
 CVE-2020-23139
all versions
Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could resu
5.5MEDIUM
 CVE-2020-23138
all versions
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP c
9.8CRITICAL
 CVE-2020-23136
all versions
Microweber v1.1.18 is affected by no session expiry after log-out.
5.5MEDIUM
 CVE-2020-13405
< 1.1.20
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users
7.5HIGH
 CVE-2020-13241
all versions
Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that th
7.8HIGH
 CVE-2018-19917
all versions
Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities.
6.1MEDIUM
 CVE-2018-1000826
<= 1.0.7
Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Ex
6.1MEDIUM
 CVE-2018-17104
all versions
An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative accoun
8.8HIGH
 CVE-2014-9464
<= 0.95
SQL injection vulnerability in Category.php in Microweber CMS 0.95 before 20141209 allows remote attackers to execute arbitrary SQ
 CVE-2013-5984
<= 0.8
Directory traversal vulnerability in userfiles/modules/admin/backup/delete.php in Microweber before 0.830 allows remote attackers
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin