CVE-2026-29962 - Vulnerability Details

Description

HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.

Published: 2026-05-18

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a local file inclusion flaw that occurs when user-supplied file paths are passed to an endpoint without proper validation, sanitization, or path restriction. In the affected HSC MailInspector v5.3.3-7, the /vendor/phpunit/phpunit.php route accepts parameters that influence file access operations. Because the input is not restricted, an attacker can craft a request that traverses directories and reads arbitrary files on the underlying operating system and application directories, exposing confidential data such as configuration files, credentials, or logs.

Affected Systems

The flaw resides specifically in HSC MailInspector version 5.3.3-7. Any installation of that version, as utilized in environments that expose the /vendor/phpunit/phpunit.php endpoint to remote users, is susceptible to exploitation. No other versions or products are known to share this issue at the time of this analysis.

Risk and Exploitability

Although the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, an LFI vulnerability that permits arbitrary file reads is severe and easy to exploit over the network. A remote attacker can trigger the flaw by sending a specially crafted HTTP request to the vulnerable endpoint, without needing privileged credentials. The lack of exploitation evidence suggests the risk may currently be moderate to high, but the potential for data disclosure warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Hsclabs

Mailinspector

80%

Version	Status	Scheme	Platform
`5.3.3-7`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade HSC MailInspector to a version that removes the vulnerable endpoint or adds proper path validation.
Apply strict filesystem permissions to the web process so that it cannot read sensitive directories outside the intended document root.
Configure the web server to disallow path traversal and enforce directory constraints, for example by using configuration directives that restrict file access to the web root.

Generated by OpenCVE AI on May 18, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/sql3t0/cve-disclosures
https://github.com/sql3t0/cve-disclosures/blob/main/01_-_CVE-2026-29962_LFI%2BPath_Traversal.md
https://hsclabs.com/pt-br/mailinspector

History

Mon, 18 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Local File Inclusion in HSC MailInspector v5.3.3-7
First Time appeared		Hsclabs Hsclabs mailinspector
Weaknesses		CWE-22
Vendors & Products		Hsclabs Hsclabs mailinspector

Mon, 18 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
References		https://github.com/sql3t0/cve-disclosures https://github.com/sql3t0/cve-disclosures/blob/main/01_-_CVE-2026-29962_LFI%2BPath_Traversal.md https://hsclabs.com/pt-br/mailinspector

Subscriptions

Hsclabs Mailinspector

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-18T00:00:00.000Z

Updated: 2026-05-18T17:05:37.265Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29962

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-05-18T18:17:21.383

Modified: 2026-05-18T19:37:49.260

Link: CVE-2026-29962

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-18T18:30:15Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object