Description
HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.
Published: 2026-05-18
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the /police/WarningUrlPage.php endpoint of HSC MailInspector 5.3.3–7, allowing an attacker to inject arbitrary JavaScript because the application fails to neutralize user‑supplied input that contains alternate or obfuscated script syntax. This flaw permits the execution of malicious code in the victim’s browser, potentially leading to session hijacking, defacement, or redirection to phishing sites. The impact encompasses confidentiality, integrity, and availability of the affected web interface.

Affected Systems

HSC MailInspector versions 5.3.3 through 5.3.7 are impacted. The issue is confined to the WarningUrlPage.php script accessed via the /police/ sub‑directory. No other vendors or products are listed in the CVE record.

Risk and Exploitability

The CVSS score is not provided, and the EPSS rating is unavailable; the vulnerability is not yet listed in CISA’s KEV catalog. The CVE description does not specify any authentication requirement; based on the description, it is inferred that the endpoint can be accessed without authentication, allowing an attacker to supply the malicious input by simply visiting the URL. This suggests a high likelihood of successful exploitation in environments where the endpoint is exposed to the public or to untrusted users. Because the flaw results in code execution in the context of any user who visits the warning page, the risk to the organization is significant.

Generated by OpenCVE AI on May 18, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of HSC MailInspector that contains the fix for WarningUrlPage.php or apply the vendor’s patch.
  • If an update is not yet available, restrict access to the /police/WarningUrlPage.php endpoint to trusted IP addresses or authenticated users, thereby limiting exposure to unauthenticated requesters.
  • Implement server‑side input sanitization or encoding for all parameters accepted by WarningUrlPage.php, and consider deploying a Content Security Policy that blocks inline scripting for the warning page to mitigate XSS attempts.

Generated by OpenCVE AI on May 18, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Unprivileged Cross‑Site Scripting in HSC MailInspector Warning URL Page
Weaknesses CWE-79

Mon, 18 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hsc
Hsc mailinspector
Vendors & Products Hsc
Hsc mailinspector

Mon, 18 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.
References

Subscriptions

Hsc Mailinspector
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-18T17:09:10.511Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29965

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-18T18:17:21.773

Modified: 2026-05-18T19:37:49.260

Link: CVE-2026-29965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T19:00:13Z

Weaknesses