CVE-2025-70791

Published: Feb 5, 2026

Modified: Feb 5, 2026

PUBLISHED

Description

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f

https://gist.github.com/TimRecktenwald/9615b9915a4cacda9f57bb57f13ab6d4

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-70791

Description

Affected Products

References