CVE-2026-29962
Description
HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HSC MailInspector v5.3.3-7 is vulnerable to Local File Inclusion via path traversal in /vendor/phpunit/phpunit.php, allowing remote unauthenticated attackers to read arbitrary files.
Vulnerability
HSC MailInspector version 5.3.3-7 contains a Local File Inclusion (LFI) vulnerability in the endpoint /vendor/phpunit/phpunit.php. The endpoint processes user-controlled parameters that directly affect file access operations without adequate validation or path restriction, enabling path traversal attacks. This issue is classified under CWE-73 (External Control of File Name or Path) [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication or user interaction. By sending a crafted HTTP request to /vendor/phpunit/phpunit.php with path traversal sequences (e.g., ../) in the file parameter, the attacker can read arbitrary files from the server's filesystem [2].
Impact
Successful exploitation allows an attacker to read sensitive system and application files, including configuration files, credentials, API keys, and database connection details. This information disclosure can provide insight into the internal architecture of the server and serve as a stepping stone for further attacks [2].
Mitigation
As of the publication date, no official patch or workaround has been disclosed in the available references. Administrators are advised to monitor vendor updates and restrict network access to the vulnerable endpoint, or implement input validation and path sanitization as a temporary measure [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/sql3t0/cve-disclosures/blob/main/01_-_CVE-2026-29962_LFI%2BPath_Traversal.mdnvdThird Party Advisory
- hsclabs.com/pt-br/mailinspectornvdProduct
News mentions
0No linked articles in our index yet.