PatchSiren cyber security CVE debrief
CVE-2026-22678 Webmin CVE debrief
CVE-2026-22678 affects Webmin before 2.641 and is described as a stored cross-site scripting vulnerability in the System and Server Status module. The issue is tied to the email template description field, where unsanitized input is stored by save_tmpl.cgi and later rendered unescaped in list_tmpls.cgi. The supplied CVE description says low-privileged authenticated attackers could use this to execute arbitrary commands. The NVD record lists the issue as MEDIUM severity with CVSS 5.1 and CWE-79.
- Vendor
- Webmin
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and security teams running Webmin instances before 2.641, especially environments where lower-privileged authenticated users can access the System and Server Status module.
Technical summary
The vulnerability is a stored XSS issue in Webmin’s email template description field. According to the supplied CVE description, input accepted by save_tmpl.cgi is not sanitized before storage, and the data is later displayed by list_tmpls.cgi without escaping. That creates a persistent script-injection path in the System and Server Status module. The CVE description further states that this can be leveraged by low-privileged authenticated attackers to execute arbitrary commands. NVD lists the weakness as CWE-79 and assigns CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:P with overall score 5.1.
Defensive priority
Medium. This is not marked as known exploited in the provided corpus, but it affects an administrative web interface and involves stored client-side injection with potential command execution impact as described in the CVE record.
Recommended defensive actions
- Upgrade Webmin to version 2.641 or later, as cited in the supplied vulnerability description.
- Review access controls for the System and Server Status module and restrict lower-privileged authenticated users where possible.
- Audit existing email template descriptions for unexpected or malicious content and remove suspicious stored values.
- Validate that server-side output escaping and input sanitization are correctly enforced in any affected template-management paths.
- Monitor administrative activity and web logs for unusual template creation or modification events around save_tmpl.cgi and list_tmpls.cgi access.
Evidence notes
Evidence in the supplied corpus includes the NVD record for CVE-2026-22678 (vulnStatus: Received), a CVSS 4.0 vector with score 5.1, and a CWE-79 classification. The record references the Webmin 2.641 release changelog and a VulnCheck advisory as source references. The CVE description supplied by the user states the vulnerable product is Webmin before 2.641 and identifies the affected paths save_tmpl.cgi and list_tmpls.cgi within the System and Server Status module. Vendor attribution in the prompt is low-confidence and should be treated cautiously.
Official resources
Publicly disclosed in the NVD record dated 2026-05-21 22:16:46.970Z. The supplied corpus ties the issue to Webmin 2.641 release-related references and a VulnCheck advisory. No KEV listing is present in the provided data.