6.1
CVE-2026-49102
- EPSS 0.16%
- Veröffentlicht 27.05.2026 15:16:34
- Zuletzt bearbeitet 27.05.2026 19:49:48
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerWebmin
≫
Produkt
Webmin
Default Statusunaffected
Version
0
Version <
2.640
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.049 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cve@mitre.org | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1
https://github.com/webmin/webmin/compare/2.630...2.640