CVE-2025-70792

MEDIUM6.1EPSS 0.02%

Microweber Cross-site Scripting vulnerability

Published: 2/5/2026Modified: 2/5/2026

Description

There is a Cross-site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.

Affected packages (1)

Packagist/microweber/microweberfrom 0, < 2.0.20

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-70792
PATCHhttps://github.com/microweber/microweber
WEBhttps://gist.github.com/TimRecktenwald/f4b0d1edbb87e75c17c639ca0bacba57
WEBhttps://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f