Which versions of Webmin are affected by CVE-2026-49103?

Webmin versions before 2.640 contain a critical path traversal vulnerability in the mailboxes component that allows authenticated users to write arbitrary files to the server, potentially enabling…. A patch is available.

How to fix or mitigate CVE-2026-49103?

Within 24 hours: inventory all Webmin deployments and their versions. Within 7 days: upgrade all instances to Webmin 2.640 or later. Within 30 days: audit file modification logs for unauthorized changes during the exposure window and review administrative account activity for suspicious behavior.

Webmin CVE-2026-49103

Q: What is the CVSS score of CVE-2026-49103?

CVE-2026-49103 has a CVSS 4.0 base score of 9.4 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-32532 CRITICAL

Path Traversal: '../filedir' (CWE-24)

2026-05-27 cve@mitre.org

GHSA-6m8g-7xrr-8q5f

Information Disclosure

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 27, 2026 - 19:51 vuln.today

Analysis Generated

May 27, 2026 - 19:51 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.

AnalysisAI

Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. …

RemediationAI

Within 24 hours: inventory all Webmin deployments and their versions. Within 7 days: upgrade all instances to Webmin 2.640 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-49103 vulnerability details – vuln.today

Back

Webmin CVE-2026-49103

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Webmin CVE-2026-49103

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code