CVE-2025-70791: Microweber has a Cross-site Scripting vulnerability

February 5, 2026

Cross-site Scripting vulnerability in the “/admin/order/abandoned” endpoint of Microweber 2.0.19. An attacker can manipulate the “orderDirection” parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim’s browser. The issue was reported to the developers and fixed in version 2.0.20.

References

gist.github.com/TimRecktenwald/9615b9915a4cacda9f57bb57f13ab6d4
github.com/advisories/GHSA-5jg5-xqfw-rv92
github.com/microweber/microweber
github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f
nvd.nist.gov/vuln/detail/CVE-2025-70791

Code Behaviors & Features

Detect and mitigate CVE-2025-70791 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →