PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49102 Webmin CVE debrief

A cross-site scripting (XSS) vulnerability exists in Webmin versions prior to 2.640. The flaw resides in the mailboxes/detach.cgi component, which handles email attachments. When an SVG document is attached to an email and subsequently viewed within the Webmin mailboxes interface, the application serves the file with a content type of image/svg+xml rather than a safe alternative such as text/plain. This allows embedded JavaScript within the SVG to execute in the context of the user's browser session. The vulnerability was addressed in Webmin 2.640. The CVSS 3.1 score of 6.1 reflects network attack vector, low attack complexity, required user interaction, and changed scope with low impacts to confidentiality and integrity.

Vendor
Webmin
Product
Unknown
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Webmin for server administration, particularly those using the built-in mailboxes feature for email management. Security teams responsible for web application security and email gateway protection should prioritize patching.

Technical summary

The vulnerability is a stored cross-site scripting issue in Webmin's email mailbox component. The detach.cgi script fails to enforce safe content-type handling for SVG attachments, rendering them as image/svg+xml rather than neutralizing them as text/plain. This permits script execution when users view attachments within the Webmin interface. The fix in version 2.640 modifies the attachment handling logic to use safer content disposition.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Webmin to version 2.640 or later to remediate the XSS vulnerability in mailboxes/detach.cgi.
  • If immediate patching is not feasible, consider restricting access to the Webmin mailboxes component to trusted administrative hosts only.
  • Review email attachment handling policies to block or sanitize SVG attachments at the mail gateway level as a defense-in-depth measure.
  • Monitor for anomalous access patterns to mailboxes/detach.cgi that may indicate exploitation attempts.

Evidence notes

CVE description confirms affected versions and attack vector via SVG attachment handling. NVD source references include commit cf432879a14568c4bb44cd2f9e5a9bd0e168edc1 and version comparison 2.630...2.640 indicating fix boundary. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N sourced from NVD metadata. CWE-79 classification confirmed in source weaknesses field.

Official resources

2026-05-27