CVE-2026-22678

Name of the Vulnerable Software and Affected Versions Webmin versions prior to 2.641

Description A stored cross-site scripting issue exists in the email template description field of the System and Server Status module. Low-privileged authenticated attackers can execute arbitrary commands by injecting unsanitized input into the 'save tmpl.cgi' endpoint, which is subsequently rendered without escaping in the 'list tmpls.cgi' endpoint.

Recommendations Update to version 2.641 or later.