CVE-2026-49102

Published May 27th, 2026

View on NVD ↗

CVSS v3

6.1

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).

webmin/webmin

Powerful and flexible web-based server management control panel

GitHub

5.94K