Microweber 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は パス処理の欠陥、バッファオーバーフロー, and vendor risk open redirect に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で アプリケーションクラッシュ and vendor impact memory corruption などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-70792 | Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20. | [email protected] | 6.1 | 0.02% | 2026-02-05 | 2026-02-10 |
| CVE-2025-70791 | Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20. | [email protected] | 6.1 | 0.02% | 2026-02-05 | 2026-02-10 |
| CVE-2024-58289 | Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript. | [email protected] | 5.3 | 0.03% | 2025-12-11 | 2026-01-12 |
| CVE-2025-60954 | Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwords, which can lead to account compromise, including administrative accounts. | [email protected] | 8.3 | 0.05% | 2025-10-24 | 2025-10-28 |
| CVE-2025-51504 | Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field. | [email protected] | 7.6 | 0.34% | 2025-08-01 | 2025-08-19 |
| CVE-2025-51502 | Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users. | [email protected] | 6.1 | 0.22% | 2025-08-01 | 2025-08-19 |
| CVE-2025-51501 | Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript. | [email protected] | 6.1 | 0.26% | 2025-08-01 | 2025-08-19 |
| CVE-2025-51503 | A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, leading to arbitrary JavaScript execution in admin browsers. | [email protected] | 7.6 | 0.52% | 2025-07-31 | 2025-08-06 |
| CVE-2025-34076 | An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoi | [email protected] | 6.1 | 48.76% | 2025-07-02 | 2025-08-20 |
| CVE-2025-2214 | A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/modules/settings/group/website_group/index.php of the component Settings Handler. The manipulation of the argument group leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.1 | 0.07% | 2025-03-12 | 2025-07-09 |
| CVE-2024-33299 | Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users | [email protected] | 4.7 | 1.55% | 2025-01-10 | 2025-07-03 |
| CVE-2024-33298 | Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup | [email protected] | 6.1 | 1.76% | 2025-01-10 | 2025-07-03 |
| CVE-2024-33297 | Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function | [email protected] | 4.7 | 1.41% | 2025-01-10 | 2025-07-03 |
| CVE-2024-40101 | A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter. | [email protected] | 6.1 | 1.15% | 2024-08-06 | 2025-03-25 |
| CVE-2024-41381 | microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\settings\admin.php. | [email protected] | 6.1 | 1.19% | 2024-08-05 | 2025-07-10 |
| CVE-2024-41380 | microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php. | [email protected] | 6.1 | 1.29% | 2024-08-05 | 2025-07-10 |
| CVE-2023-6832 | Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. | [email protected] | 4.3 | 0.11% | 2023-12-15 | 2024-11-21 |
| CVE-2023-48122 | An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method. | [email protected] | 7.5 | 0.33% | 2023-12-08 | 2024-11-21 |
| CVE-2023-6599 | Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0. | [email protected] | 4.3 | 0.35% | 2023-12-08 | 2024-11-21 |
| CVE-2023-6566 | Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. | [email protected] | 6.5 | 0.10% | 2023-12-07 | 2024-11-21 |