Description
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
Published: 2026-05-18
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a reflected XSS in HSC MailInspector's /tap/tap.php endpoint. User input is not neutralized, so a malicious actor can embed arbitrary JavaScript that is reflected in HTTP responses and executed with the victim's browser privileges. This can lead to session cookie theft, credential hijacking, phishing, and further malicious payload execution, representing a client‑side exploitation vector that endangers confidentiality and integrity.

Affected Systems

HSC MailInspector version 5.3.3‑7 is affected. The vulnerability resides in the /tap/tap.php endpoint. No other products or versions are listed.

Risk and Exploitability

No CVSS or EPSS scores are published and the flaw is not in the CISA KEV catalog. The attack requires only a crafted request and a victim visiting the malicious URL, so the attack vector is simple and the potential impact is high for targeted users. While widespread exploitation is not yet recorded, the vulnerability can still be abused in phishing campaigns without advanced infrastructure.

Generated by OpenCVE AI on May 18, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch that properly encodes output for the /tap/tap.php endpoint.
  • Restrict external access to the /tap/tap.php endpoint by enabling authentication or IP‑based filtering.
  • Deploy a Content Security Policy that blocks inline scripts and limits script sources to trusted origins.
  • Ensure that all user‑supplied data reflected in HTTP responses is encoded using a suitable output encoding method.

Generated by OpenCVE AI on May 18, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Hsclabs
Hsclabs mailinspector
Vendors & Products Hsclabs
Hsclabs mailinspector

Mon, 18 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unvalidated Reflected XSS in HSC MailInspector /tap/tap.php
Weaknesses CWE-79

Mon, 18 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
References

Subscriptions

Hsclabs Mailinspector
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-18T17:08:12.357Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29964

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-18T18:17:21.650

Modified: 2026-05-18T19:37:49.260

Link: CVE-2026-29964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T19:00:12Z

Weaknesses