Bozhidar Slaveykov

42 exploits Active since Jan 2022
CVE-2022-0557 WRITEUP HIGH WRITEUP
Packagist microweber/microweber <1.2.11 - Command Injection
OS Command Injection in Packagist microweber/microweber prior to 1.2.11.
CVSS 7.2
CVE-2022-0666 WRITEUP HIGH WRITEUP
microweber/microweber <1.2.11 - Stack Trace Exposure
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
CVSS 7.5
CVE-2022-1631 WRITEUP HIGH WRITEUP
microweber < 1.2.15 - Unauthenticated Account Takeover via Email Registration
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employee’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.
CVSS 8.8
CVE-2025-34076 WRITEUP HIGH WRITEUP
Microweber CMS <=1.2.11 - Local File Inclusion
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.
CVSS 7.2
CVE-2025-34076 WRITEUP HIGH WRITEUP
Microweber CMS <=1.2.11 - Local File Inclusion
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.
CVSS 7.2
CVE-2022-0277 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - Privilege Escalation
Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.
CVSS 6.5
CVE-2022-0278 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - XSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVSS 5.4
CVE-2022-0281 WRITEUP HIGH WRITEUP
Packagist microweber/microweber <1.2.11 - Info Disclosure
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
CVSS 7.5
CVE-2022-0282 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - XSS
Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.
CVSS 4.3
CVE-2022-0378 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - XSS
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
CVSS 5.4
CVE-2022-0379 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - XSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVSS 5.4
CVE-2022-0504 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - Info Disclosure
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
CVSS 6.5
CVE-2022-0505 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - CSRF
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
CVSS 6.5
CVE-2022-0506 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - XSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVSS 5.4
CVE-2022-0558 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - XSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVSS 5.4
CVE-2022-0560 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - Open Redirect
Open Redirect in Packagist microweber/microweber prior to 1.2.11.
CVSS 6.1
CVE-2022-0596 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - Info Disclosure
Improper Validation of Specified Quantity in Input in Packagist microweber/microweber prior to 1.2.11.
CVSS 4.3
CVE-2022-0638 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - CSRF
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
CVSS 4.3
CVE-2022-0660 WRITEUP HIGH WRITEUP
Packagist microweber/microweber <1.2.11 - Info Disclosure
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
CVSS 7.5
CVE-2022-0678 WRITEUP MEDIUM WRITEUP
Packagist microweber/microweber <1.2.11 - XSS
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
CVSS 6.1
CVE-2022-0719 WRITEUP MEDIUM WRITEUP
microweber < 1.3 - Reflected Cross-Site Scripting
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.
CVSS 5.4
CVE-2022-0721 WRITEUP MEDIUM WRITEUP
microweber/microweber <1.3 - Info Disclosure
Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.
CVSS 6.5
CVE-2022-0724 WRITEUP MEDIUM WRITEUP
microweber/microweber <1.3 - Info Disclosure
Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.
CVSS 6.5
CVE-2022-0762 WRITEUP MEDIUM WRITEUP
microweber/microweber <1.3 - Info Disclosure
Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.
CVSS 5.5
CVE-2022-0763 WRITEUP MEDIUM WRITEUP
microweber < 1.3 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.
CVSS 4.8