Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, no auth, no interaction; read-only .conf file disclosure yields partial confidentiality loss only, with no integrity or availability impact.
Primary rating from Vendor (cisa-cg).
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.
AnalysisAI
Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file residing within module directories. The root cause is a flawed regular expression (CWE-185) that was intended to restrict accessible file paths but can be bypassed with a crafted request, allowing unauthenticated network attackers to read configuration files that may contain credentials, API keys, or other sensitive deployment data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required - the vulnerable file-read code path is reachable before any credential check, as confirmed by PR:N and UI:N in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 (Medium) reflects a limited-scope confidentiality impact (C:L) with no integrity or availability consequence, which is consistent with a read-only file disclosure primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP GET request to a publicly accessible Webmin instance, constructing a file path that satisfies the flawed regex while pointing to a sensitive .conf file - for example, a module configuration containing a database password. The server responds with the raw file contents. … |
| Remediation | The primary remediation is upgrading to Webmin 2.641 or later, which contains the corrected regular expression. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attack
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authen
Stored cross-site scripting in Webmin before 2.641 allows low-privileged authenticated attackers to inject arbitrary Jav
Same weakness CWE-185 – Incorrect Regular Expression
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37908
GHSA-xpvh-gv3p-w5qx