CVE-2025-34076

Name of the Vulnerable Software and Affected Versions: Microweber CMS versions <= 1.2.11

Description: An authenticated local file inclusion issue exists due to the misuse of the backup management API. Authenticated users can exploit the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem by specifying an absolute file path in the src parameter of the upload request. This allows for local file disclosure due to insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.

Recommendations: For Microweber CMS versions <= 1.2.11, consider disabling the /api/BackupV2/upload and /api/BackupV2/download endpoints until a patch is available to prevent exploitation. Restrict access to the backup management API to minimize the risk of arbitrary file disclosure. Avoid using the src parameter in the upload request to prevent specifying absolute file paths.