VYPR
Medium severity5.4NVD Advisory· Published May 21, 2026· Updated May 26, 2026

CVE-2026-22678

CVE-2026-22678

Description

Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Webmin/Webmininferred2 versions
    <2.641+ 1 more
    • (no CPE)range: <2.641
    • (no CPE)range: <2.641

Patches

Vulnerability mechanics

References

2

News mentions

2