CVE-2026-12198 | Microweber up to 2.0.20 API Endpoint thumbnail_img userfiles_path cache_path_relative path traversal (Issue 1172)

A vulnerability categorized as critical has been discovered in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal.

This vulnerability is registered as CVE-2026-12198. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-12198 | Microweber up to 2.0.20 API Endpoint thumbnail_img userfiles_path cache_path_relative path traversal (Issue 1172)

Post correlati

CVE-2023-50916 | Kyocera Device Manager prior 3.1.1213.0 UNC path traversal

CVE-2024-10614 | ivole Customer Reviews for WooCommerce Plugin up to 5.61.0 on WordPress cancel_import authorization

CVE-2025-4021 | code-projects Patient Record Management System 1.0 /edit_spatient.php ID sql injection

CVE-2025-7872 | Portabilis i-Diario 1.5.0 Justificativa cross site scripting