PatchSiren cyber security CVE debrief
CVE-2026-29963 Hsclabs CVE debrief
CVE-2026-29963 is a remotely exploitable path traversal issue in HSC MailInspector 5.3.3-7. According to the NVD record, improper validation of user-supplied input in the /tap/dw.php endpoint can allow the text parameter to be used in unsafe file path construction, which may expose arbitrary files on the underlying operating system. The primary impact is unauthorized disclosure of sensitive information, and the published CVSS vector reflects network reachability, no privileges, no user interaction, and high confidentiality impact.
- Vendor
- Hsclabs
- Product
- Mailinspector
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-19
Who should care
Security teams and administrators responsible for HSC MailInspector 5.3.3-7, especially if the product is reachable from untrusted networks or used to protect sensitive mail infrastructure. Teams that monitor for data exposure risk should treat this as a confidentiality issue, not just an application bug.
Technical summary
NVD classifies the issue as CWE-22 (Path Traversal) with CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerable CPE in the supplied record is hsclabs:mailinspector:5.3.3-7. The affected endpoint is /tap/dw.php, where the text parameter is described as contributing to file path construction without sufficient normalization or restriction to a safe base directory, enabling arbitrary file reads.
Defensive priority
High. The issue is network-accessible, requires no privileges or user interaction, and can disclose sensitive files. Prioritize exposure assessment and remediation for any deployed instance of HSC MailInspector 5.3.3-7, especially internet-facing systems.
Recommended defensive actions
- Inventory all HSC MailInspector deployments and confirm whether version 5.3.3-7 is in use.
- Treat any internet-exposed instance as high priority for remediation or isolation.
- Follow vendor and advisory guidance from the referenced product and third-party disclosure sources.
- Review access controls and network exposure around the /tap/dw.php endpoint.
- Monitor logs and telemetry for unusual requests involving file-download or traversal-like patterns on this endpoint.
- Check for possible exposure of sensitive configuration or OS files and rotate credentials or secrets if disclosure is suspected.
Evidence notes
The supplied NVD metadata marks the vulnerability as analyzed and links it to Hsclabs MailInspector 5.3.3-7. The record identifies CWE-22 and the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which supports a remote, low-complexity confidentiality-impacting issue. The references include the CVE record, NVD detail page, a product page, and a third-party disclosure repository.
Official resources
-
CVE-2026-29963 CVE record
CVE.org
-
CVE-2026-29963 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
[email protected] - Product
CVE-2026-29963 was published on 2026-05-18 and modified on 2026-05-19 in the supplied record. The dataset does not include a CISA KEV listing for this issue.