QwikSec

Security Database

CVE

CWE

Training

CVE-2025-13648

Published: Feb 11, 2026

Modified: Feb 11, 2026

PUBLISHED

Description

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html resulting in a stored XSS. This issue affects ZeusWeb: 6.1.31.

Vendor	Product	Versions
Microcom	ZeusWeb	affected `6.1.31`

Weaknesses (CWE)

References

https://www.hackrtu.com/blog/CNA-HRTU-0001/

technical-description

patch

https://www.hackrtu.com/blog/CNA-CVE-2025-13648/

technical-description

patch

https://www.microcom360.com/servicio-zeus-web/

product

https://zeus.microcom.es:4040/

product

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.