PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49103 Webmin CVE debrief

A critical path traversal vulnerability exists in Webmin versions prior to 2.640, specifically within the mailboxes component's attachment handling functionality. The flaw resides in `mailboxes/detachall.cgi`, where unsafe filename construction during attachment saving operations allows attackers to manipulate file paths. This vulnerability carries a CVSS 4.0 score of 9.4 (Critical), indicating severe impact potential across confidentiality, integrity, and availability dimensions. The issue was addressed in Webmin 2.640, with a security patch available via commit cf432879a14568c4bb44cd2f9e5a9bd0e168edc1. The vulnerability was published to the CVE database on 2026-05-27 and subsequently modified the same day. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
Webmin
Product
Unknown
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

System administrators managing Webmin installations, particularly those exposing mail server management functionality; security teams responsible for Unix/Linux server infrastructure; organizations using Webmin for remote system administration; email service providers utilizing Webmin's mailboxes component for attachment handling

Technical summary

The vulnerability stems from improper neutralization of special elements used in a pathname (CWE-24) within the Webmin mailboxes module. The `detachall.cgi` script fails to safely construct filenames when processing email attachments, enabling attackers with low privileges to traverse directory structures and potentially write files to arbitrary locations on the underlying filesystem. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) reflects network attack vector, low attack complexity, no required user interaction, low privilege requirements, and high impacts across all security dimensions including subsequent system compromise. The fix in commit cf432879a14568c4bb44cd2f9e5a9bd0e168edc1 addresses the filename sanitization logic.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Webmin to version 2.640 or later to remediate the unsafe filename construction vulnerability in the mailboxes component
  • If immediate patching is not feasible, restrict access to the mailboxes/detachall.cgi endpoint to trusted administrative sources only
  • Monitor file system access patterns in Webmin attachment directories for anomalous path traversal indicators
  • Review Webmin access logs for suspicious requests targeting the mailboxes component prior to the disclosure date
  • Validate that Webmin installations are not exposed to untrusted networks, as the vulnerability requires network access (AV:N)
  • Apply principle of least privilege to Webmin user accounts to reduce attack surface from the required low privileges (PR:L)
  • Consider implementing Web Application Firewall rules to detect and block path traversal sequences in attachment-related requests

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Vendor identification (Webmin) derived from source references to webmin/webmin GitHub repository. Patch commit and version comparison links confirm remediation in version 2.640. CVSS vector and score obtained from NVD source data. CWE-24 (Path Traversal) classification from MITRE source reference.

Official resources

2026-05-27T15:16:34.170Z