CVE-2026-49102 - Webmin

Vulnerability Description:  CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Software Version: <  2.640

NIST: https://nvd.nist.gov/vuln/detail/cve-2026-49102

CVSS: 6.1

Severity:  Medium

Credits: Andrea Carlo Maria Dattola, Marco Ventura, Massimiliano Brolli 

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).

Prerequisites: An attacker must be authenticated with low privilege (Only “Read User Email” module need to be enabled).

Step-by-step instructions and PoC

A remote, low privileged user can store malicious JavaScript code in the email attachments. Successful exploitation of this vulnerability can lead to Remote Code Execution (RCE), privilege escalation, extraction of sensitive information and/or the execution of arbitrary HTTP requests in the context of the admin's session.

Affected Endpoints

•           URL: https://[IP]:[PORT]/mailboxes/send_mail.cgi

•           Vulnerable parameter: attach0

Below is the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

As shown in the following figure, a low privilege user can send a malicious mail to an admin/root webmin user.

As shown in the figure below, when an admin visits the mail web page, the malicious payload is executed.

Security Impact

An attacker can exploit this vulnerability to perform privilege escalation, extract some sensitive information or run arbitrary HTTP Request in the context of admin's session. In this particular situation an attacker can also execute RCE in OS context.

Back