Description
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
Published: 2026-05-18
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a reflected XSS in HSC MailInspector's /tap/tap.php endpoint. User input is not neutralized, so a malicious actor can embed arbitrary JavaScript that is reflected in HTTP responses and executed within the victim's browser context.

Affected Systems

HSC MailInspector version 5.3.3‑7 is affected. The vulnerability resides in the /tap/tap.php endpoint. No other symptoms or versions are reported.

Risk and Exploitability

The CVSS score is 6.1 and EPSS information is not available. The attack vector is a remote exploitation via a crafted URL that injects unsanitized input. No privileged access or additional exploitation tools are required. The flaw is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 19, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch that properly encodes output for the /tap/tap.php endpoint.
  • Restrict external access to the /tap/tap.php endpoint by enabling authentication or IP‑based filtering.
  • Deploy a Content Security Policy that blocks inline scripts and limits script sources to trusted origins.
  • Ensure that all user‑supplied data reflected in HTTP responses is encoded using a suitable output encoding method.

Generated by OpenCVE AI on May 19, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hsclabs:mailinspector:5.3.3-7:*:*:*:*:*:*:*

Tue, 19 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Unvalidated Reflected XSS in HSC MailInspector /tap/tap.php

Mon, 18 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Hsclabs
Hsclabs mailinspector
Vendors & Products Hsclabs
Hsclabs mailinspector

Mon, 18 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unvalidated Reflected XSS in HSC MailInspector /tap/tap.php
Weaknesses CWE-79

Mon, 18 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
References

Subscriptions

Hsclabs Mailinspector
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-18T21:28:51.998Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29964

cve-icon Vulnrichment

Updated: 2026-05-18T21:24:47.913Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-18T18:17:21.650

Modified: 2026-05-19T17:20:32.380

Link: CVE-2026-29964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T01:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')