| Title | Microweber 2.0.20 Cross Site Scripting |
|---|
| Description | A stored cross-site scripting vulnerability exists in Microweber v2.0.20. The user profile editing functionality at /admin/users/<user-id>/edit does not safely handle attacker-controlled values placed into the First Name and Last Name fields. A user with permission to edit another user's profile can store a crafted payload, which is later rendered as part of the victim user's display name without sufficient output encoding. This allows JavaScript execution in another authenticated user's browser. The issue was privately reported to the vendor by email in early April 2026. As of May 14, 2026, no vendor response has been received. Public technical references are provided for CNA/VulDB review.
|
|---|
| Source | ⚠️ https://github.com/whuHouYF/microweber-vuldb-disclosure-2026/blob/991630c494a99c70a96e456992a04de2ecb5a1e1/reports/microweber-xss.md |
|---|
| User | TarryHou (UID 97936) |
|---|
| Submission | 05/14/2026 11:52 (1 month ago) |
|---|
| Moderation | 06/14/2026 09:08 (1 month later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 336056 [Microweber 2.0.15 cross site scripting] |
|---|
| Points | 0 |
|---|