CVE-2025-70792
Unknown Unknown - Not Provided
Cross-Site Scripting in Microweber 2.0.19 Admin Endpoint

Publication date: 2026-02-05

Last updated on: 2026-02-10

Assigner: MITRE

Description
Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-70792
EUVD
EUVD-2025-206823
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microweber microweber 2.0.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-70792 is a Cross-Site Scripting (XSS) vulnerability in Microweber version 2.0.19, specifically in the "/admin/category/create" endpoint.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the "rel_id" parameter in the URL is not properly sanitized. An attacker can craft a malicious URL containing JavaScript code within this parameter.'}, {'type': 'paragraph', 'content': 'If an administrator visits this crafted URL, the injected JavaScript code executes in their browser, potentially allowing unauthorized actions or data exposure.'}, {'type': 'paragraph', 'content': 'This issue was reported to the developers and fixed in Microweber version 2.0.20.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in the browser of an administrator who visits a maliciously crafted URL.'}, {'type': 'paragraph', 'content': "Such code execution can lead to unauthorized actions being performed with the administrator's privileges or exposure of sensitive data accessible to the admin."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the "/admin/category/create" endpoint of Microweber version 2.0.19 for improper sanitization of the "rel_id" parameter. Specifically, you can craft a URL with a JavaScript payload in the "rel_id" parameter and observe if the script executes in the browser.'}, {'type': 'paragraph', 'content': 'For example, visiting a URL like the following on a test system running Microweber 2.0.19 can demonstrate the vulnerability:'}, {'type': 'list_item', 'content': 'http://localhost/admin/category/create?category_subtype=default&data_type=category&id=0&is_hidden=1&parent=blog&parent_id=0&rel_id=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&rel_type=content'}, {'type': 'paragraph', 'content': 'If an alert popup appears immediately upon visiting this URL, it confirms the presence of the Cross-Site Scripting vulnerability.'}, {'type': 'paragraph', 'content': 'To reproduce or test this safely, you can clone the Microweber repository at version 2.0.19, build and run the application using Docker, and then visit the crafted URL.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and recommended step to mitigate this vulnerability is to upgrade Microweber from version 2.0.19 to version 2.0.20 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be performed, avoid clicking or visiting any URLs that contain suspicious or untrusted "rel_id" parameters in the "/admin/category/create" endpoint, especially if you have admin privileges.'}, {'type': 'paragraph', 'content': 'Additionally, consider implementing web application firewall (WAF) rules to detect and block requests containing suspicious script tags or JavaScript payloads in URL parameters.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart