Description
A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microweber versions up to 2.0.20 contain a flaw in the /api_nosession/thumbnail_img endpoint. The cache_path_relative parameter can be manipulated to include directory traversal characters, resulting in a path traversal vulnerability (CWE‑22). The CVE description indicates that the attack can be launched remotely and that a public exploit is available, suggesting that the flaw could be leveraged for further attacks.

Affected Systems

The issue affects the Microweber CMS up to release 2.0.20. All versions older than or equal to this release are potentially vulnerable; newer releases have not been publicly identified as affected. The vulnerability resides in the Microweber component served at /api_nosession/thumbnail_img.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The flaw can be triggered remotely by invoking the API endpoint without authentication. A publicly available exploit exists, meaning that exposed endpoints could be abused until remedied.

Generated by OpenCVE AI on June 15, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Microweber to a version newer than 2.0.20.
  • If an upgrade is not immediately possible, restrict access to the /api_nosession/thumbnail_img endpoint to authenticated users only.
  • Implement server‑side validation of the cache_path_relative parameter to reject directory traversal sequences such as "../".

Generated by OpenCVE AI on June 15, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Microweber API Endpoint thumbnail_img userfiles_path path traversal
First Time appeared Microweber
Microweber microweber
Weaknesses CWE-22
CPEs cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
Vendors & Products Microweber
Microweber microweber
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Microweber Microweber
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T00:00:08.994Z

Reserved: 2026-06-14T07:10:21.029Z

Link: CVE-2026-12198

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T00:16:43.803

Modified: 2026-06-15T00:16:43.803

Link: CVE-2026-12198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T02:30:26Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')