Key Information Vulnerability Details CVE ID: CVE-2025-51503 Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Versions: Latest tested version of MicroWebber running locally Affected Page: /microwebber/admin/user/profile Vulnerability Description The user profile update functionality in MicroWebber does not properly validate or encode user input in the and fields. When malicious scripts are saved in these fields and the page is reloaded, the scripts execute in the user's context. Reproduction Steps 1. Navigate to the user profile edit page: 2. Use the following payload in the user profile: - : - : 3. Save the changes. 4. Refresh the profile page. 5. Observe XSS trigger — an alert will be displayed. Payload Example HTTP Request Example Related CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Impact Persistent JavaScript execution Compromise of admin panel Session hijacking (if HTTPOnly is not enforced) Redirects or phishing attacks Potential DOM-based payloads with caching Recommended Mitigation Use Laravel’s function or Blade’s double braces to automatically escape sensitive and renderable inputs ( , , etc.) before displaying on any page. Implement server-side validation rules to reject inputs containing script tags or JavaScript patterns. Apply output encoding in all templates that render user data. Timeline 2025-05-28: Vulnerability discovered 2025-05-30: Reported to MicroWebber maintainers