CVE-2026-56020
- EPSS 0.29%
- Veröffentlicht 18.06.2026 16:12:05
- Zuletzt bearbeitet 22.06.2026 17:52:22
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in...
CVE-2026-56021
- EPSS 0.28%
- Veröffentlicht 18.06.2026 16:11:46
- Zuletzt bearbeitet 24.06.2026 21:16:58
Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.
CVE-2026-56022
- EPSS 0.31%
- Veröffentlicht 18.06.2026 16:11:22
- Zuletzt bearbeitet 24.06.2026 21:16:58
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.
CVE-2026-49103
- EPSS 0.3%
- Veröffentlicht 27.05.2026 15:16:34
- Zuletzt bearbeitet 27.05.2026 19:49:48
Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.
CVE-2026-49102
- EPSS 0.16%
- Veröffentlicht 27.05.2026 15:16:34
- Zuletzt bearbeitet 27.05.2026 19:49:48
Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).
CVE-2026-22678
- EPSS 0.17%
- Veröffentlicht 21.05.2026 20:59:52
- Zuletzt bearbeitet 26.05.2026 00:16:49
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser ...
CVE-2025-67738
- EPSS 0.31%
- Veröffentlicht 11.12.2025 06:34:10
- Zuletzt bearbeitet 15.04.2026 00:35:42
squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager...
CVE-2025-61541
- EPSS 0.42%
- Veröffentlicht 16.10.2025 00:00:00
- Zuletzt bearbeitet 06.11.2025 22:20:36
Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header...
CVE-2024-12828
- EPSS 32.02%
- Veröffentlicht 30.12.2024 17:15:07
- Zuletzt bearbeitet 14.08.2025 18:41:57
Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw ...
CVE-2024-45692
- EPSS 0.62%
- Veröffentlicht 04.09.2024 23:15:12
- Zuletzt bearbeitet 05.09.2024 21:35:14
Webmin before 2.202 and Virtualmin before 7.20.2 allow a network traffic loop via spoofed UDP packets on port 10000.