Description
HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information.
Published: 2026-05-18
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HSC MailInspector 5.3.3-7 contains a path traversal flaw on the /tap/dw.php endpoint. The text parameter is concatenated into file paths without proper normalization, allowing a remote attacker to read any file on the underlying operating system. This can lead to exposure of credentials, configuration files, and other confidential data.

Affected Systems

The vulnerability affects HSC MailInspector version 5.3.3-7, a mail inspection platform used in various organizations.

Risk and Exploitability

The flaw can be exploited remotely via HTTP by sending crafted requests to the text parameter. No EPSS score is available and the vulnerability is not listed in CISA KEV, yet the potential for complete confidentiality compromise elevates the risk assessment. The likely attack vector involves submitting unauthorized file paths through an unauthenticated endpoint to read arbitrary files.

Generated by OpenCVE AI on May 18, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a version that includes a fix for the path traversal vulnerability
  • Restrict external access to the /tap/dw.php endpoint using firewall rules or network segmentation to limit exposure of the vulnerable endpoint
  • Configure the application or web server to enforce path restrictions—allow only files within a whitelisted directory and reject any paths that traverse outside the intended base directory
  • If the text parameter is not required for business operations, temporarily disable or remove the /tap/dw.php endpoint until a fix is available

Generated by OpenCVE AI on May 18, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hsclabs
Hsclabs mailinspector
Vendors & Products Hsclabs
Hsclabs mailinspector

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Path Traversal Allowing Arbitrary File Disclosure in HSC MailInspector 5.3.3-7
Weaknesses CWE-20
CWE-22

Mon, 18 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information.
References

Subscriptions

Hsclabs Mailinspector
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-18T17:07:22.444Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29963

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-18T18:17:21.517

Modified: 2026-05-18T19:37:49.260

Link: CVE-2026-29963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T20:00:12Z

Weaknesses