CVE-2026-49103 PUBLISHED

Assigner: mitre
Reserved: 27.05.2026 Published: 27.05.2026 Updated: 27.05.2026

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Webmin
Product	Webmin
Versions	Default: unaffected affected from 0 to 2.640 (excl.)

References

https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1
https://github.com/webmin/webmin/compare/2.630...2.640

Problem Types

CWE-24 Path Traversal: '../filedir' CWE