VYPR
← All advisories
High severity7.3NVD Advisory· Published Jun 15, 2026

CVE-2026-12198

CVE-2026-12198

Description

CVE-2026-12198 is an unauthenticated path traversal in Microweber ≤2.0.20, exploitable via the cache_path_relative parameter of the /api_nosession/thumbnail_img endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-12198 is an unauthenticated path traversal in Microweber ≤2.0.20, exploitable via the cache_path_relative parameter of the /api_nosession/thumbnail_img endpoint.

Vulnerability

CVE-2026-12198 describes a path traversal vulnerability in Microweber up to and including version 2.0.20 [1]. The flaw resides in the function userfiles_path accessible through the API endpoint /api_nosession/thumbnail_img. The endpoint does not properly validate the cache_path_relative argument, allowing directory traversal sequences such as ../ to escape the intended thumbnail cache directory. The normalize_path() helper only normalizes separators and does not strip traversal strings [2].

Exploitation

An unauthenticated attacker can send a maliciously crafted GET request to /api_nosession/thumbnail_img with a cache_path_relative parameter containing ../ sequences. For example, to read a file outside the cache path, an attacker could use ?src=userfiles/modules/admin/backup/backup.svg&width=16&height=16&cache_path_relative=../composer.json. The attack is remotely exploitable without any prior authentication or user interaction [2].

Impact

Successful exploitation enables arbitrary file read from the server filesystem. Under certain conditions where the source image is a local SVG file, the endpoint may also write an attacker-controlled file to a path outside the intended thumbnail directory, leading to a path-controlled file write. This could expose sensitive configuration data (e.g., composer.json) and potentially enable further compromise of the system [2].

Mitigation

As of the publication date (2026-06-15), no official patch has been released by Microweber. The vendor was contacted early about this disclosure but did not respond [1][2]. Users of Microweber 2.0.20 and earlier versions should consider restricting access to the /api_nosession/thumbnail_img endpoint via web server rules (e.g., .htaccess or reverse proxy) as a temporary workaround. No fixed version is available at this time [1][2].

References
  1. GitHub - microweber/microweber: Drag and Drop Website Builder and CMS with E-commerce
  2. microweber-vuldb-disclosure-2026/reports/microweber-path-traversal.md at 991630c494a99c70a96e456992a04de2ecb5a1e1 · whuHouYF/microweber-vuldb-disclosure-2026

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `normalize_path()` helper does not strip `../` traversal sequences, allowing an attacker to escape the intended thumbnail cache directory via the `cache_path_relative` parameter."

Attack vector

An unauthenticated attacker sends a crafted GET request to `/api_nosession/thumbnail_img` with a `cache_path_relative` parameter containing `../` traversal sequences. Because `normalize_path()` normalizes separators but does not remove traversal sequences, the attacker can escape the intended thumbnail cache directory. This allows arbitrary file read (e.g., `../composer.json`) and, when a local SVG source image is used, path-controlled file write outside the intended cache path [ref_id=1].

Affected code

The vulnerable endpoint is `/api_nosession/thumbnail_img`, which is publicly exposed via `api_expose('thumbnail_img')` in `src/MicroweberPackages/Media/helpers/media.php`. The `cache_path_relative` parameter flows into path concatenation in `src/MicroweberPackages/Media/MediaManager.php`, and the `normalize_path()` helper in `src/MicroweberPackages/App/functions/common.php` does not strip `../` sequences.

What the fix does

The advisory does not include a patch; the vendor was contacted but did not respond. To remediate, the application must validate or sanitize the `cache_path_relative` parameter to reject traversal sequences (e.g., `../`) before using it in filesystem path construction. The `normalize_path()` helper should be hardened to strip or reject path traversal patterns, or the endpoint should enforce that the resolved path stays within the intended thumbnail cache directory.

Preconditions

  • authNo authentication is required
  • networkThe vulnerable endpoint /api_nosession/thumbnail_img must be publicly reachable
  • inputThe attacker controls the cache_path_relative query parameter

Reproduction

1. Arbitrary File Read: Send `GET /api_nosession/thumbnail_img?src=userfiles/modules/admin/backup/backup.svg&width=16&height=16&cache_path_relative=../composer.json` 2. Path-Controlled File Write: Send `GET /api_nosession/thumbnail_img?src=userfiles/modules/admin/backup/backup.svg&width=17&height=17&cache_path_relative=../audit-thumb-proof-stage3.txt`

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.