Skip to main content

Webmin

4 CVEs product

Monthly

CVE-2026-56020 CRITICAL PATCH Act Now

Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attackers to impersonate any user, including root/admin, by sending a forged HTTP header that spoofs an SSL client certificate Distinguished Name. The flaw maps to CWE-290 (Authentication Bypass by Spoofing) and is rated CVSS 4.0 9.2 (Critical); a vendor-released fix exists in 2.641, but no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass Webmin
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-56021 MEDIUM This Month

Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file residing within module directories. The root cause is a flawed regular expression (CWE-185) that was intended to restrict accessible file paths but can be bypassed with a crafted request, allowing unauthenticated network attackers to read configuration files that may contain credentials, API keys, or other sensitive deployment data. No public exploit or CISA KEV listing has been identified at time of analysis, though the zero-authentication, network-accessible attack surface makes this straightforward to probe at scale.

Authentication Bypass Webmin
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56022 MEDIUM PATCH This Month

MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. No public exploit code or CISA KEV listing has been identified at time of analysis; the issue was reported by CISA-CG and patched in the 2.641 release.

Authentication Bypass Webmin
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-22678 MEDIUM PATCH This Month

Stored cross-site scripting in Webmin before 2.641 allows low-privileged authenticated attackers to inject arbitrary JavaScript via the email template description field in the System and Server Status module. The payload is persisted through save_tmpl.cgi and rendered without HTML encoding by list_tmpls.cgi, executing in the browser of any user who subsequently views the template list - a population likely to include privileged administrators. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch (Webmin 2.641) is available.

XSS Webmin
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attackers to impersonate any user, including root/admin, by sending a forged HTTP header that spoofs an SSL client certificate Distinguished Name. The flaw maps to CWE-290 (Authentication Bypass by Spoofing) and is rated CVSS 4.0 9.2 (Critical); a vendor-released fix exists in 2.641, but no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass Webmin
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file residing within module directories. The root cause is a flawed regular expression (CWE-185) that was intended to restrict accessible file paths but can be bypassed with a crafted request, allowing unauthenticated network attackers to read configuration files that may contain credentials, API keys, or other sensitive deployment data. No public exploit or CISA KEV listing has been identified at time of analysis, though the zero-authentication, network-accessible attack surface makes this straightforward to probe at scale.

Authentication Bypass Webmin
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. No public exploit code or CISA KEV listing has been identified at time of analysis; the issue was reported by CISA-CG and patched in the 2.641 release.

Authentication Bypass Webmin
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Webmin before 2.641 allows low-privileged authenticated attackers to inject arbitrary JavaScript via the email template description field in the System and Server Status module. The payload is persisted through save_tmpl.cgi and rendered without HTML encoding by list_tmpls.cgi, executing in the browser of any user who subsequently views the template list - a population likely to include privileged administrators. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch (Webmin 2.641) is available.

XSS Webmin
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy