Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi.
References
| Link | Resource |
|---|---|
| https://webmin.com/changelog/webmin-2.641-released/ | Release Notes |
| https://www.vulncheck.com/advisories/webmin-stored-xss-via-system-and-server-status | Third Party Advisory |
Configurations
History
26 May 2026, 00:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi. |
22 May 2026, 20:56
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Webmin
Webmin webmin |
|
| References | () https://webmin.com/changelog/webmin-2.641-released/ - Release Notes | |
| References | () https://www.vulncheck.com/advisories/webmin-stored-xss-via-system-and-server-status - Third Party Advisory | |
| CPE | cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:* |
21 May 2026, 22:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-21 22:16
Updated : 2026-05-26 00:16
NVD link : CVE-2026-22678
Mitre link : CVE-2026-22678
CVE.ORG link : CVE-2026-22678
JSON object : View
Products Affected
webmin
- webmin
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')