CVE-2025-40697 PUBLISHED

Reflected Cross-Site Scripting (XSS) in Lewe WebMeasure

Assigner: INCIBE
Reserved: 16.04.2025 Published: 19.02.2026 Updated: 19.02.2026

Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Product Status

Vendor Lewe
Product WebMeasure
Versions Default: unaffected
  • Version all versions is unknown

Credits

  • Gonzalo Aguilar García (6h4ack) finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE