Skip to main content

Webmin CVE-2026-49103

| EUVDEUVD-2026-32532 CRITICAL
Path Traversal: '../filedir' (CWE-24)
2026-05-27 cve@mitre.org GHSA-6m8g-7xrr-8q5f
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 27, 2026 - 19:51 vuln.today
Analysis Generated
May 27, 2026 - 19:51 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.

AnalysisAI

Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. Carrying a CVSS 4.0 base score of 9.4 with total technical impact, the issue is fixed in 2.640; CISA's SSVC framework currently lists exploitation status as none and no public exploit has been identified.

Technical ContextAI

Webmin is a Perl-based web administration interface for Unix/Linux systems, and the affected code is its mailboxes module (the IMAP/POP webmail front end shared with Usermin). The root cause is CWE-24 (Path Traversal: '../filedir'): when a user invokes the 'detach all attachments' action, detachall.cgi takes the filename from each MIME attachment part and uses it verbatim to build the save path. Because MIME attachment names are attacker-controllable and were not sanitized, directory-traversal sequences or absolute path fragments in the name flow into the file write. The vendor fix demonstrates the issue precisely - the patched detachall.cgi now strips CR/LF/NUL bytes, converts backslashes to slashes, reduces the name to its basename via s/^.*\///g, blanks out dot-only names, and falls back to a generated 'fileN' name. The companion change in detach.cgi adds similar filename scrubbing plus forces SVG attachments to be served as text/plain to prevent script execution from the Webmin origin, though the CVE description scopes this CVE to detachall.cgi.

RemediationAI

Upgrade to Webmin 2.640 or later, which is the vendor-released fix containing commit cf432879a14568c4bb44cd2f9e5a9bd0e168edc1 (verifiable in the 2.630...2.640 comparison at https://github.com/webmin/webmin/compare/2.630...2.640); the third-party advisory is https://vuldb.com/vuln/366419. If immediate upgrade is not possible, reduce exposure by restricting the mailboxes/webmail module to trusted administrators only and removing or disabling the module for accounts that do not need it (trade-off: users lose attachment-handling functionality in the Webmin/Usermin mail interface). Additionally, limit network access to the Webmin port (default 10000) to administrative networks and audit the set of accounts that can authenticate, since the attack requires a valid low-privileged login. Avoid using the 'detach all attachments' action on untrusted mailboxes until patched.

Share

CVE-2026-49103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy