Cross-Site Scripting Vulnerability in Webmin Mailbox Component
CVE-2026-49102

6.1MEDIUM

Key Information:

Vendor: Webmin
Status: Webmin
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-49102?

Webmin versions prior to 2.640 contain a Cross-Site Scripting (XSS) vulnerability in the mailboxes component. This issue arises when SVG document attachments are viewed, as the application uses the image/svg+xml MIME type instead of a safer alternative like text/plain. Attackers can exploit this flaw to inject malicious scripts, compromising user data and security. Webmin users are encouraged to update to the latest version to mitigate this vulnerability.

Affected Version(s)

Webmin 0 < 2.640

References

https://github.com/webmin/webmin/compare/2.630...2.640

https://github.com/webmin/webmin/commit/cf432879a14568c4b...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 27, 2026

CVE-2026-49102 Data

JSON