PatchSiren cyber security CVE debrief
CVE-2026-29962 Hsclabs CVE debrief
CVE-2026-29962 is a high-severity local file inclusion/path traversal flaw affecting HSC MailInspector v5.3.3-7. According to the NVD record and referenced advisory material, the endpoint /vendor/phpunit/phpunit.php accepts user-controlled input that can influence file access without sufficient validation or path restriction. The practical impact is unauthorized read access to arbitrary files on the host, creating a sensitive information disclosure risk.
- Vendor
- Hsclabs
- Product
- Mailinspector
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-19
Who should care
Administrators and security teams responsible for HSC MailInspector deployments, especially systems exposing the affected endpoint to untrusted networks. Incident responders and defenders monitoring for unexpected file-read activity or disclosure of application and operating-system files should also prioritize this issue.
Technical summary
NVD lists the affected CPE as hsclabs:mailinspector:5.3.3-7 and classifies the weakness as CWE-73. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which indicates network-reachable exploitation with no privileges or user interaction required and a primary impact of confidentiality loss. The supplied description states that user-supplied file paths are not adequately validated, sanitized, or restricted, allowing path traversal to read arbitrary files through /vendor/phpunit/phpunit.php.
Defensive priority
High. The issue is remotely reachable, requires no authentication, and can expose sensitive files, so it should be treated as a priority for exposure review, containment, and vendor remediation tracking.
Recommended defensive actions
- Confirm whether any HSC MailInspector instances are running version 5.3.3-7.
- Restrict or block external access to /vendor/phpunit/phpunit.php and related vendor paths until remediation is applied.
- Apply vendor-provided updates or mitigations as soon as they are available, using the referenced product and advisory materials.
- Review web and application logs for unusual requests targeting file-path parameters or the affected endpoint.
- Check for exposure of sensitive files and credentials that may have been readable through the vulnerability.
- Harden file-handling code and controls so user input cannot resolve to arbitrary filesystem paths.
Evidence notes
This debrief is based on the supplied NVD record published 2026-05-18 and modified 2026-05-19, plus the referenced third-party advisory and product page. The NVD data marks the vulnerability as analyzed, associates it with hsclabs:mailinspector:5.3.3-7, assigns CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and maps the weakness to CWE-73. The supplied description specifically identifies /vendor/phpunit/phpunit.php and describes improper control of user-supplied file paths leading to arbitrary file reads.
Official resources
-
CVE-2026-29962 CVE record
CVE.org
-
CVE-2026-29962 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
[email protected] - Product
Publicly disclosed in the supplied record on 2026-05-18 18:17:21.383Z and modified on 2026-05-19 17:21:35.583Z. No KEV entry was supplied.