CVE-2026-22678

Vulnerability

CVE-2026-22678 is a stored cross-site scripting (XSS) vulnerability in Webmin versions prior to 2.641. The flaw resides in the email template description field of the System and Server Status module. Unvalidated user input entered via save_tmpl.cgi is stored without sanitization and later rendered unescaped by list_tmpls.cgi, enabling persistent script injection [1].

Exploitation

An authenticated attacker with low privileges can exploit this by crafting a malicious payload in the email template description. The stored XSS payload triggers when another user (including an administrator) views the list of templates. No special network position or additional authentication is required beyond standard Webmin credentials [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or further actions such as initiating authenticated Webmin operations on behalf of the victim, including command execution [1].

Mitigation

The vulnerability is patched in Webmin version 2.641, released on 2026-05-21. Users should upgrade immediately. The changelog confirms fixes in the System and Server Status module related to monitor editing, which encompasses the underlying issue [2].