HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
References
| Link | Resource |
|---|---|
| https://github.com/sql3t0/cve-disclosures | Third Party Advisory |
| https://github.com/sql3t0/cve-disclosures/blob/main/01_-_CVE-2026-29962_LFI%2BPath_Traversal.md | Third Party Advisory |
| https://hsclabs.com/pt-br/mailinspector | Product |
Configurations
History
19 May 2026, 17:21
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Hsclabs mailinspector
Hsclabs |
|
| CPE | cpe:2.3:a:hsclabs:mailinspector:5.3.3-7:*:*:*:*:*:*:* | |
| References | () https://github.com/sql3t0/cve-disclosures - Third Party Advisory | |
| References | () https://github.com/sql3t0/cve-disclosures/blob/main/01_-_CVE-2026-29962_LFI%2BPath_Traversal.md - Third Party Advisory | |
| References | () https://hsclabs.com/pt-br/mailinspector - Product |
19 May 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-73 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
18 May 2026, 18:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-18 18:17
Updated : 2026-05-19 17:21
NVD link : CVE-2026-29962
Mitre link : CVE-2026-29962
CVE.ORG link : CVE-2026-29962
JSON object : View
Products Affected
hsclabs
- mailinspector
CWE
CWE-73
External Control of File Name or Path