Reflected Cross-Site Scripting Vulnerability in Lewe WebMeasure
CVE-2025-40697

5.1MEDIUM

Key Information:

Vendor: Lewe
Status: Webmeasure
Vendor: CVE Published:; 19 February 2026

What is CVE-2025-40697?

A reflected Cross-Site Scripting (XSS) vulnerability exists in the '/index.php' file of Lewe WebMeasure. This flaw allows remote attackers to execute arbitrary code via the 'page' parameter. Exploiting this vulnerability can lead to the unauthorized access of sensitive user data, including session cookies, and can enable attackers to perform actions on behalf of legitimate users, further compromising the security of the affected system.

Affected Version(s)

WebMeasure all versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/reflec...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

Gonzalo Aguilar García (6h4ack)

CVE-2025-40697 Data

JSON