Description
Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.
Published: 2026-05-27
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Webmin versions earlier than 2.640 construct filenames for saving mailbox attachments without sufficient validation. An attacker who can control the attachment download path could write arbitrary files to the server filesystem, potentially including executable scripts or web pages that bypass authentication. This flaw grants the ability to modify trusted locations and thus can lead to full compromise of the Webmin server.

Affected Systems

The vulnerability affects all installations of Webmin, regardless of platform, that use a version prior to 2.640. Administrators should verify the exact release they are running and plan an upgrade accordingly.

Risk and Exploitability

The flaw has a CVSS score of 9.4, indicating high severity, and is currently not listed in CISA KEV and has no EPSS score available. The likely attack vector involves authenticated users who have permissions to trigger mailbox attachment downloads; an attacker with those privileges can supply crafted paths to cause the server to write files anywhere permitted by the process. The lack of an EPSS score suggests limited publicly known exploitation, but the high CVSS warrants immediate attention.

Generated by OpenCVE AI on May 27, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Webmin to version 2.640 or later to apply the fixed filename construction logic.
  • Ensure that only trusted administrative users have access to the mailboxes component and enforce least‑privilege access controls.
  • Restrict attachment download destinations to a safe, non‑executable directory and disable attachment uploads for untrusted users.

Generated by OpenCVE AI on May 27, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Unsafely Constructed Filename in Webmin Mailbox Attachment Saving Leads to Remote Code Execution

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.
First Time appeared Webmin
Webmin webmin
Weaknesses CWE-24
CPEs cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*
Vendors & Products Webmin
Webmin webmin
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Webmin Webmin
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T16:14:12.073Z

Reserved: 2026-05-27T14:37:18.174Z

Link: CVE-2026-49103

cve-icon Vulnrichment

Updated: 2026-05-27T16:14:09.539Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T15:16:34.170

Modified: 2026-06-17T10:55:30.553

Link: CVE-2026-49103

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses
  • CWE-24

    Path Traversal: '../filedir'