Medium severity5.4NVD Advisory· Published May 21, 2026· Updated May 26, 2026
CVE-2026-22678
CVE-2026-22678
Description
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- www.vulncheck.com/advisories/webmin-stored-xss-via-system-and-server-statusnvdThird Party Advisory
- webmin.com/changelog/webmin-2.641-released/nvdRelease Notes
News mentions
2- ⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and MoreThe Hacker News · Jul 6, 2026
- Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any UserCyber Security News · Jun 24, 2026