Description
Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).
Published: 2026-05-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Webmin before version 2.640 is vulnerable to a cross‑site scripting attack via the mailboxes component’s detach.cgi endpoint. An attacker can create a malicious SVG document attachment that, when opened by a user, is served with the MIME type image/svg+xml instead of a safe type such as text/plain, allowing arbitrary JavaScript execution in the victim’s browser. Classed as CWE‑79, this flaw can lead to session hijacking, credential theft, defacement, or denial of service, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

All Webmin installations running versions prior to 2.640 are impacted. The vulnerability is present in releases from 2.630 through 2.639, regardless of the underlying operating system. It affects any deployment that allows users to download or view mailbox attachments via the Webmin web interface.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity that can be exploited remotely through the Webmin web interface. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker to craft and deliver a malicious SVG attachment to a user with access to the mailboxes component; it does not require elevated privileges or exploit code execution on the server side.

Generated by OpenCVE AI on May 27, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Webmin to version 2.640 or later to apply the official fix. The commit cf432879a14568c4bb44cd2f9e5a9bd0e168edc1 implements stricter MIME type validation for attachment rendering.
  • Disable or block SVG attachments within the mailboxes component, or enforce a whitelist of allowed MIME types such as text/plain, text/html, or image/png.
  • Configure the Webmin server or client browsers to block automatic rendering of SVG files when accessed through the Webmin interface, ensuring that arbitrary scripts cannot execute in the user’s context.

Generated by OpenCVE AI on May 27, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).
First Time appeared Webmin
Webmin webmin
Weaknesses CWE-79
CPEs cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*
Vendors & Products Webmin
Webmin webmin
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Webmin Webmin
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T17:27:21.572Z

Reserved: 2026-05-27T14:31:13.385Z

Link: CVE-2026-49102

cve-icon Vulnrichment

Updated: 2026-05-27T17:27:18.049Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T15:16:34.003

Modified: 2026-06-17T10:55:30.430

Link: CVE-2026-49102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:45:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')