CVE-2023-49052

HIGH

Microweber 2.0.4 - Unauthenticated Arbitrary File Upload via Created Forms Component

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-49052. PoCs published by Cyber-Wo0dy.

AI-analyzed exploit summary This repository provides a detailed technical writeup for CVE-2023-49052, demonstrating how an attacker can bypass file upload restrictions in Microweber CMS v2.0.4 to upload malicious HTML files, leading to potential XSS or other client-side attacks. The steps include creating a form with a file upload field, crafting a malicious HTML file, and exploiting the vulnerability to execute arbitrary JavaScript.

Description

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.

Exploits (1)

nomisec WRITEUP
by Cyber-Wo0dy · poc
https://github.com/Cyber-Wo0dy/CVE-2023-49052

This repository provides a detailed technical writeup for CVE-2023-49052, demonstrating how an attacker can bypass file upload restrictions in Microweber CMS v2.0.4 to upload malicious HTML files, leading to potential XSS or other client-side attacks. The steps include creating a form with a file upload field, crafting a malicious HTML file, and exploiting the vulnerability to execute arbitrary JavaScript.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Microweber CMS v2.0.4
No auth needed
Prerequisites: Microweber CMS v2.0.4 with file upload enabled in forms
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.2627
EPSS Percentile 96.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (2)
microweber/microweber 2.0.4
microweber/microweber 0Packagist
Published Nov 30, 2023
Tracked Since Feb 18, 2026