CVE-2026-29963

Name of the Vulnerable Software and Affected Versions HSC MailInspector version 5.3.3-7

Description Improper validation of user-supplied input in the '/tap/dw.php' endpoint allows a remote attacker to access arbitrary files on the underlying operating system, leading to unauthorized disclosure of sensitive information. This occurs because the text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. Path Traversal is a flaw where an attacker can access files and directories that are stored outside the web root folder.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Avoid using the text parameter in the '/tap/dw.php' endpoint until the issue is resolved.