CVE-2026-49103

EUVD-2026-32532
Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
9.4 CRITICAL
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
webminwebmin
𝑥
< 2.640
CNA
Common Weakness Enumeration
References
https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1
https://github.com/webmin/webmin/compare/2.630...2.640