CVE-2025-61541

Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain into the reset email. If a victim follows the poisoned link, the attacker can intercept the reset token and gain full control of the target account.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
mitreCNA
---
---
CISA-ADPADP
7.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
VendorProductVersion
webminwebmin
2.510
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.webmin.com/
https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-61541
https://github.com/webmin/webmin