Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Reflected Cross-Site Scripting (XSS) in Lewe WebMeasure

Posted date 19/02/2026
Identificador
INCIBE-2026-128
Importance
3 - Medium
Affected Resources

WebMeasure

Description

INCIBE has coordinated the publication of a medium-severity vulnerability affecting Lewe WebMeasure. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-40697: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79.
Solution

The WebMeasure software is no longer avaiable on the Lewe website ans is no longer supported.

Detail

CVE-2025-40697: Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

CVE
Explotación
No
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2025-40697 Media No Lewe
References list
Lewe – Web Applications, Plugins & Add-ons
Etiquetas