Cross-site Scripting (XSS) - Reflected in microweber/microweber


Reported on

Feb 20th 2022


The endpoint{id}/edit is vulnerable to cross site scripting. The "Edit source" field is affected.

Proof of Concept

  1. Login into
  2. Navigate to
  3. click EditSource, and put this payload:

<img src=x onerror=alert(1)>

  1. and click Ok
  2. The xss payload will be executed.


Cross site scripting attacks can lead to account takeover via cookie stealing, temporary webpage deface, redirections etc.

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar Slaveykov validated this vulnerability 3 months ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the microweber team. We will try again in 7 days. 3 months ago
Bozhidar Slaveykov confirmed that a fix has been merged on 15e519 3 months ago
Bozhidar Slaveykov has been awarded the fix bounty
3 months ago


We clean this xss on a backend

to join this conversation