PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-29964 Hsclabs CVE debrief

CVE-2026-29964 is a reflected cross-site scripting vulnerability in HSC MailInspector v5.3.3-7. According to the NVD record and linked advisory material, the /tap/tap.php endpoint reflects user-controlled input without adequate output encoding, including cases involving alternate or obfuscated JavaScript syntax. Because the flaw requires a victim to interact with a crafted request or response, the immediate risk is browser-side code execution in a user’s session rather than direct server compromise.

Vendor
Hsclabs
Product
Mailinspector
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-19
Advisory published
2026-05-18
Advisory updated
2026-05-19

Who should care

Administrators and security teams running HSC MailInspector v5.3.3-7 should care most, especially if the interface is reachable by users who may be induced to click attacker-supplied links. Mail security and messaging teams should also review this if MailInspector is used by privileged operators, since successful XSS can affect authenticated browser sessions.

Technical summary

The NVD entry maps the issue to CWE-79 and lists the vulnerable CPE as hsclabs:mailinspector:5.3.3-7. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which indicates network reachability, low attack complexity, no privileges required, and user interaction required. The vendor/product reference and third-party advisory identify the vulnerable endpoint as /tap/tap.php and describe improper neutralization of user input in HTTP responses, allowing script execution in the victim browser context.

Defensive priority

Medium. Treat as a priority patch for any internet-exposed or user-facing deployment, but the user-interaction requirement and absence of availability impact make it less urgent than a fully unauthenticated server-side RCE. If immediate patching is not possible, reduce exposure to the endpoint and harden browser-side handling and access pathways.

Recommended defensive actions

  • Upgrade or remediate HSC MailInspector v5.3.3-7 using vendor guidance or the linked advisory references.
  • Review and fix output encoding and input handling in /tap/tap.php so user-controlled data is never reflected into HTTP responses unsafely.
  • Add or strengthen server-side validation and context-aware output encoding for any parameters reaching this endpoint.
  • Restrict access to the MailInspector interface to trusted users and networks where feasible.
  • Monitor for suspicious requests to /tap/tap.php and unusual browser-side activity in administrator or operator sessions.
  • Validate any deployed compensating controls by testing that the vulnerable input is no longer reflected in executable form.

Evidence notes

The CVE record and NVD detail both identify CVE-2026-29964 as a CWE-79 issue affecting HSC MailInspector v5.3.3-7. The NVD metadata includes the vulnerable CPE, the CVSS vector, and references to a third-party advisory and the product page. The supplied advisory description states that /tap/tap.php reflects unsanitized input and can enable arbitrary JavaScript execution in a victim browser. No KEV entry was provided in the supplied corpus.

Official resources

Publicly disclosed on 2026-05-18T18:17:21.650Z and updated on 2026-05-19T17:20:32.380Z. No Known Exploited Vulnerabilities (KEV) listing was provided in the supplied data.