CVE-2026-12198

Source
https://cve.org/CVERecord?id=CVE-2026-12198
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12198.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-12198
Published
2026-06-15T00:00:08.994Z
Modified
2026-07-15T01:49:19.675466280Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Microweber API Endpoint thumbnail_img userfiles_path path traversal
Details

A weakness has been identified in Microweber up to 2.0.20. This affects the function userfilespath of the file /apinosession/thumbnailimg of the component API Endpoint. Executing a manipulation of the argument cachepath_relative can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Database specific
{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12198.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/microweber/microweber

Affected ranges

Type
GIT
Repo
https://github.com/microweber/microweber
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.0.0"
        },
        {
            "introduced": "2.0.1"
        },
        {
            "last_affected": "2.0.1"
        },
        {
            "introduced": "2.0.2"
        },
        {
            "last_affected": "2.0.2"
        },
        {
            "introduced": "2.0.20"
        },
        {
            "last_affected": "2.0.20"
        },
        {
            "introduced": "2.0.3"
        },
        {
            "last_affected": "2.0.3"
        },
        {
            "introduced": "2.0.4"
        },
        {
            "last_affected": "2.0.4"
        },
        {
            "introduced": "2.0.5"
        },
        {
            "last_affected": "2.0.5"
        },
        {
            "introduced": "2.0.6"
        },
        {
            "last_affected": "2.0.6"
        },
        {
            "introduced": "2.0.7"
        },
        {
            "last_affected": "2.0.7"
        },
        {
            "introduced": "2.0.8"
        },
        {
            "last_affected": "2.0.8"
        },
        {
            "introduced": "2.0.9"
        },
        {
            "last_affected": "2.0.9"
        },
        {
            "introduced": "2.0.10"
        },
        {
            "last_affected": "2.0.10"
        },
        {
            "introduced": "2.0.11"
        },
        {
            "last_affected": "2.0.11"
        },
        {
            "introduced": "2.0.12"
        },
        {
            "last_affected": "2.0.12"
        },
        {
            "introduced": "2.0.13"
        },
        {
            "last_affected": "2.0.13"
        },
        {
            "introduced": "2.0.14"
        },
        {
            "last_affected": "2.0.14"
        },
        {
            "introduced": "2.0.15"
        },
        {
            "last_affected": "2.0.15"
        },
        {
            "introduced": "2.0.16"
        },
        {
            "last_affected": "2.0.16"
        },
        {
            "introduced": "2.0.17"
        },
        {
            "last_affected": "2.0.17"
        },
        {
            "introduced": "2.0.18"
        },
        {
            "last_affected": "2.0.18"
        },
        {
            "introduced": "2.0.19"
        },
        {
            "last_affected": "2.0.19"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

2.*
2.0.0
2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12198.json"