CVE-2025-70792: Microweber Cross-site Scripting vulnerability

February 5, 2026

There is a Cross-site Scripting vulnerability in the “/admin/category/create” endpoint of Microweber 2.0.19. An attacker can manipulate the “rel_id” parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim’s browser. The issue was reported to the developers and fixed in version 2.0.20.

References

gist.github.com/TimRecktenwald/f4b0d1edbb87e75c17c639ca0bacba57
github.com/advisories/GHSA-6w5w-jx4x-vjvw
github.com/microweber/microweber
github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f
nvd.nist.gov/vuln/detail/CVE-2025-70792

Code Behaviors & Features

Detect and mitigate CVE-2025-70792 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →