Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).
AnalysisAI
Stored cross-site scripting in Webmin's mailboxes component (detach.cgi) allows a remote unauthenticated attacker to execute arbitrary JavaScript in the browser session of an authenticated Webmin user by sending an email containing a crafted SVG attachment. Because detach.cgi served SVG files with the image/svg+xml content type instead of a safe type, browsers treated the SVG as an active document on the Webmin origin, enabling script execution with full same-origin access to the Webmin interface. No public exploit has been identified and CISA has not listed this in KEV, but the attack surface is straightforward given the ubiquity of email as a delivery channel and Webmin's privileged system-administration context.
Technical ContextAI
Webmin is a web-based Unix/Linux system administration panel. The mailboxes module provides an email client interface, and detach.cgi is the CGI script responsible for serving email attachments to the browser. Prior to version 2.640, the script passed SVG attachments directly to the browser with their native content type (image/svg+xml or inferred from a .svg/.svgz filename). Modern browsers treat SVG as an active XML document capable of executing embedded <script> tags when served from a web origin - in this case, the Webmin administration origin. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): attacker-controlled data (the SVG file) was rendered as an executable document in a privileged origin context. The commit diff at cf432879a confirms the fix: the script now detects SVG by content-type regex (^image\/svg(\+xml)?), by the type query parameter, and by filename extension (.svg/.svgz), and downgrades the served content type to text/plain, preventing script execution. The same commit also added filename sanitization to strip path traversal characters (\, /, null bytes, CRLF) in detach.cgi and detachall.cgi.
RemediationAI
Upgrade Webmin to version 2.640 or later, which contains the confirmed vendor-released patch. The specific fix is in commit cf432879a14568c4bb44cd2f9e5a9bd0e168edc1 (https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1), which changes detach.cgi to serve SVG attachments as text/plain, preventing browser script execution. If immediate upgrade is not possible, a compensating control is to disable the Webmin mailboxes module entirely, preventing access to the vulnerable detach.cgi endpoint - note this disables all in-browser email functionality. Alternatively, network-level access controls restricting which users can reach the Webmin interface reduce the blast radius by limiting who can be targeted, but do not eliminate the vulnerability. Restricting the Webmin interface to trusted IP ranges via firewall rules or Webmin's own IP access controls (Webmin > Webmin Configuration > IP Access Control) reduces exposure without service disruption.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32528
GHSA-2rpj-3356-c2rw