CVE-2026-29965 - Vulnerability Details

Description

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.

Published: 2026-05-18

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the /police/WarningUrlPage.php endpoint of HSC MailInspector 5.3.3–7, allowing an attacker to inject arbitrary JavaScript because the application fails to neutralize user‑supplied input that contains alternate or obfuscated script syntax. This flaw permits the execution of malicious code in the victim’s browser, potentially leading to session hijacking, defacement, or redirection to phishing sites. The impact encompasses confidentiality, integrity, and availability of the affected web interface.

Affected Systems

HSC MailInspector versions 5.3.3 through 5.3.7 are impacted. The issue is confined to the WarningUrlPage.php script accessed via the /police/ sub‑directory. No other vendors or products are listed in the CVE record.

Risk and Exploitability

The CVSS score is 6.1, EPSS is not available, and the vulnerability is not listed in KEV. The description does not specify any authentication requirement; based on the description, it is inferred that the endpoint can be accessed without authentication, allowing an attacker to supply malicious input by simply visiting the URL. This suggests a high likelihood of successful exploitation in environments where the endpoint is exposed to the public or to untrusted users. Because the flaw results in JavaScript execution in the context of any user who visits the warning page, the risk to the organization is significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:hsclabs:mailinspector:5.3.3-7:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Hsc

Mailinspector

80%

Version	Status	Scheme	Platform
`5.3.3-7`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a version of HSC MailInspector that contains the fix for WarningUrlPage.php or apply the vendor’s patch.
If an update is not yet available, restrict access to the /police/WarningUrlPage.php endpoint to trusted IP addresses or authenticated users, thereby limiting exposure to unauthenticated requesters.
Implement server‑side input sanitization or encoding for all parameters accepted by WarningUrlPage.php, and consider deploying a Content Security Policy that blocks inline scripting for the warning page to mitigate XSS attempts.

Generated by OpenCVE AI on May 19, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/sql3t0/cve-disclosures
https://github.com/sql3t0/cve-disclosures/blob/main/04_-_CVE-2026-29965_XSS.md
https://hsclabs.com/pt-br/mailinspector/

History

Tue, 19 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hsclabs Hsclabs mailinspector
CPEs		cpe:2.3:a:hsclabs:mailinspector:5.3.3-7:::::::*
Vendors & Products		Hsclabs Hsclabs mailinspector

Tue, 19 May 2026 00:45:00 +0000

Type	Values Removed	Values Added
Title	Unprivileged Cross‑Site Scripting in HSC MailInspector Warning URL Page

Mon, 18 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 18 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Title		Unprivileged Cross‑Site Scripting in HSC MailInspector Warning URL Page
Weaknesses		CWE-79

Mon, 18 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hsc Hsc mailinspector
Vendors & Products		Hsc Hsc mailinspector

Mon, 18 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.
References		https://github.com/sql3t0/cve-disclosures https://github.com/sql3t0/cve-disclosures/blob/main/04_-_CVE-2026-29965_XSS.md https://hsclabs.com/pt-br/mailinspector/

Subscriptions

Hsc Mailinspector

Hsclabs Mailinspector

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-18T00:00:00.000Z

Updated: 2026-05-18T21:28:48.808Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29965

Vulnrichment

Updated: 2026-05-18T21:22:15.342Z

NVD

Status : Analyzed

Published: 2026-05-18T18:17:21.773

Modified: 2026-05-19T17:19:58.520

Link: CVE-2026-29965

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T00:30:15Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object