CVE-2026-22678
EUVD-2026-3135021.05.2026, 22:16
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| webmin | webmin | 𝑥 < 2.641 |
𝑥
= Vulnerable software versions