The microweber application allows large characters to insert in the input field "Email" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in microweber/microweber


Reported on

May 13th 2022


  1. Go to home page and there will a option to signup with email and phone number with 3 check box
  2. Screenshot: -->
  3. Fill the email parameter with huge characters
  4. when the admin check the notification ( it will be flooded with our payload


POC screenshot:

POC Video:

Patch recommendation:

  1. The Email input should be limited to 50 characters or max 100 characters.


  1. It can leads to DOS
We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov modified the Severity from High to None a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bozhidar Slaveykov validated this vulnerability a year ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bozhidar Slaveykov marked this as fixed in 1.2.16 with commit 4ac2a4 a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
Akshay Ravi
a year ago


@admin can you please assign a CVE for this?

Jamie Slome
a year ago


We do not currently assign CVEs to vulnerabilities with a None severity.

to join this conversation