CVE-2025-13649 MEDIUM

CVE-2025-13649: REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB

Vendor Microcom

Product ZeusWeb

Weakness CWE-79 · XSS

Published February 11, 2026

Last update February 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Email’ parameters within the ‘Recover password’ section at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true . This issue affects ZeusWeb: 6.1.31.

Key dates

02Disclosure timeline

February 11, 2026 CVE published

February 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13649 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2023-4520 FV Flowplayer Video Player <= 7.5.37.7212 - Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update CVE-2024-51701 WordPress MG Post Contributors plugin <= 1.3. - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-51611 WordPress WP Feature Box plugin <= 0.1.3 - Stored Cross Site Scripting (XSS) vulnerability CVE-2023-41789 Unauthenticated Admin Account Takeover Via XSS CVE-2025-68864 WordPress Infility Global plugin <= 2.15.11 - Cross Site Scripting (XSS) vulnerability