PT-2026-44030 · Webmin · Webmin
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-49102
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Webmin versions prior to 2.640
Description
Cross-site Scripting (XSS) is possible via an SVG document attachment viewed in the mailboxes component. This occurs because the application uses the
image/svg+xml content type instead of a safe type such as text/plain when processing the 'mailboxes/detach.cgi' endpoint.Recommendations
Update to version 2.640 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Webmin