| Title | Microweber 2.0.20 Path Traversal |
|---|
| Description | An unauthenticated path traversal vulnerability exists in Microweber v2.0.20 in the publicly reachable hidden API endpoint /api_nosession/thumbnail_img. The cache_path_relative parameter is not properly validated before being used in filesystem path construction, and traversal sequences such as ../ are not removed. Under the tested conditions, this allows arbitrary file read and path-controlled file write outside the intended thumbnail cache directory. The issue was privately reported to the vendor by email in early April 2026. A limited public GitHub issue was opened in mid-April 2026, but as of May 14, 2026 no vendor response has been received. Public technical references are provided for CNA/VulDB review.
|
|---|
| Source | ⚠️ https://github.com/whuHouYF/microweber-vuldb-disclosure-2026/blob/991630c494a99c70a96e456992a04de2ecb5a1e1/reports/microweber-path-traversal.md |
|---|
| User | TarryHou (UID 97936) |
|---|
| Submission | 05/14/2026 11:55 (1 month ago) |
|---|
| Moderation | 06/14/2026 09:10 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370841 [Microweber up to 2.0.20 API Endpoint thumbnail_img userfiles_path cache_path_relative path traversal] |
|---|
| Points | 20 |
|---|