Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary commands by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi.
AnalysisAI
Stored cross-site scripting in Webmin before 2.641 allows low-privileged authenticated attackers to inject arbitrary JavaScript via the email template description field in the System and Server Status module. The payload is persisted through save_tmpl.cgi and rendered without HTML encoding by list_tmpls.cgi, executing in the browser of any user who subsequently views the template list - a population likely to include privileged administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid Webmin account with at least low-privileged access to the System and Server Status module's email template functionality, as confirmed by the CVSS 4.0 vector component PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.1 (Medium) accurately captures meaningful real-world constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged Webmin account navigates to the System and Server Status module and creates or edits an email template, inserting a JavaScript payload (such as a session cookie exfiltration script) into the description field, which is saved via save_tmpl.cgi. When a higher-privileged administrator later opens the template management page at list_tmpls.cgi, the payload silently executes in their browser, potentially allowing the attacker to steal the admin's session token and gain full administrative control of the Webmin interface and the underlying server. … |
| Remediation | The primary fix is upgrading to Webmin 2.641, which resolves this stored XSS as documented in the vendor changelog at https://webmin.com/changelog/webmin-2.641-released/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attack
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authen
Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file re
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31350
GHSA-vxwv-pg73-pf78