CVE-2026-3610

A vulnerability was found in HSC Cybersecurity Mailinspector up to 5.3.2-3. Affected by this issue is some unknown functionality of the file /mailinspector/mliUserValidation.php of the component URL Handler. The manipulation of the argument error_description results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used. Upgrading to version 5.4.0 can resolve this issue. You should upgrade the affected component. The vendor was contacted early and responded very professional: "We have already implemented the fix and made a hotfix available to affected customers, ensuring mitigation while the official release 5.4.0 has not yet been published. This allows customers to address the issue immediately, outside the regular release cycle."

CVSS v3 4.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://docs.google.com/document/d/1KI2SIDcVm5U3Yzo5tNT5YOwREQWe_5BJaWe-ctRmLoI/edit?usp=sharing
https://vuldb.com/?ctiid.349219
https://vuldb.com/?id.349219
https://vuldb.com/?submit.748710

Configurations

No configuration.

History

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad fue encontrada en HSC Ciberseguridad Mailinspector hasta la versión 5.3.2-3. Afectada por este problema es alguna funcionalidad desconocida del archivo /mailinspector/mliUserValidation.PHP del componente Gestor de URL. La manipulación del argumento error_description resulta en cross-site scripting. El ataque puede ser realizado desde remoto. El exploit ha sido hecho público y podría ser usado. Actualizar a la versión 5.4.0 puede resolver este problema. Debería actualizar el componente afectado. El proveedor fue contactado temprano y respondió muy profesional: 'Ya hemos implementado la corrección y hemos puesto a disposición un hotfix para los clientes afectados, asegurando la mitigación mientras la versión oficial 5.4.0 aún no ha sido publicada. Esto permite a los clientes abordar el problema de inmediato, fuera del ciclo de lanzamiento regular.'

06 Mar 2026, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 01:15

Updated : 2026-03-09 13:36

NVD link : CVE-2026-3610

Mitre link : CVE-2026-3610

CVE.ORG link : CVE-2026-3610

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94

Improper Control of Generation of Code ('Code Injection')

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2026-3610

4.3^/10

5.0^/10

Attach tags to `CVE-2026-3610`