CVE-2025-13648 MEDIUM

CVE-2025-13648: STORED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB

Vendor Microcom

Product ZeusWeb

Weakness CWE-79 · XSS

Published February 11, 2026

Last update February 11, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html resulting in a stored XSS. This issue affects ZeusWeb: 6.1.31.

Key dates

02Disclosure timeline

February 11, 2026 CVE published

February 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13648 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2025-13648: STORED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB

01Description

02Disclosure timeline

03References

04Related CVE