CVE-2026-12198
Received Received - Intake
Path Traversal Vulnerability in Microweber

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description
A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12198
EUVD
EUVD-2026-36674
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microweber microweber to 2.0.20 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Microweber version 2.0.20 within the API endpoint /api_nosession/thumbnail_img. It arises because the parameter cache_path_relative is not properly sanitized, allowing an attacker to perform path traversal by including sequences like ../ in the parameter.

As a result, an unauthenticated attacker can traverse outside the intended thumbnail cache directory to either read arbitrary files on the server or write files to arbitrary locations. The vulnerability stems from the normalize_path() function only normalizing path separators but not removing traversal sequences.

Impact Analysis

This vulnerability can have serious impacts as it allows remote attackers to read sensitive files on the server without authentication, potentially exposing confidential information.

Additionally, attackers can write malicious files to arbitrary locations on the server, which could be used to implant backdoors, deface websites, or further compromise the system.

Detection Guidance

This vulnerability can be detected by testing the Microweber API endpoint /api_nosession/thumbnail_img for path traversal attempts via the cache_path_relative parameter.

You can try sending HTTP requests that include traversal sequences like ../ in the cache_path_relative parameter to see if the server returns files outside the intended directory.

For example, using curl to attempt to read a sensitive file such as composer.json:

  • curl -v "http://[target]/api_nosession/thumbnail_img?cache_path_relative=../../../../composer.json"

If the response contains the contents of the file, the system is vulnerable.

Additionally, monitoring network traffic for unusual requests to /api_nosession/thumbnail_img with suspicious parameters may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable API endpoint /api_nosession/thumbnail_img to trusted users or internal networks only.

You should also implement input validation and sanitization on the cache_path_relative parameter to prevent path traversal sequences such as ../ from being processed.

If possible, update Microweber to a version that addresses this vulnerability once available.

In the meantime, consider using web application firewalls (WAF) to block requests containing path traversal patterns targeting this endpoint.

Compliance Impact

The vulnerability allows unauthenticated attackers to read arbitrary files and write files to arbitrary locations on the server. This could lead to unauthorized access to sensitive data stored on the affected system.

Such unauthorized access and potential data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent data breaches.

Because the vulnerability enables attackers to access or manipulate files without authentication, it increases the risk of data leakage or tampering, which could result in violations of these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart