CVE-2026-49102 | THREATINT

Description

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).

PUBLISHED Reserved 2026-05-27 | Published 2026-05-27 | Updated 2026-05-27 | Assigner mitre

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

Any version before 2.640

affected

References

github.com/webmin/webmin/compare/2.630...2.640

github.com/...ommit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1

cve.org (CVE-2026-49102)

nvd.nist.gov (CVE-2026-49102)

Download JSON