CVE-2026-29963

Vulnerability

A path traversal vulnerability exists in HSC MailInspector version 5.3.3‑7. The endpoint /tap/dw.php (also reachable as /mailinspector/tap/dw.php) processes the ext parameter without adequate validation or restriction to a safe base directory. The user-supplied input is used to construct file paths, and the application fails to properly normalize or sanitize directory traversal sequences, enabling an attacker to escape the intended directory [1], [2].

Exploitation

An unauthenticated remote attacker can exploit this flaw by sending a crafted HTTP request to the vulnerable endpoint. No special network position or authentication is required. By manipulating the ext parameter with directory traversal sequences (e.g., ../), the attacker can navigate the filesystem outside the intended base directory and read arbitrary files on the underlying operating system [2].

Impact

Successful exploitation allows an attacker to read arbitrary system and application files, including configuration files that may contain sensitive data such as credentials or internal network details. This leads to unauthorized disclosure of sensitive information (confidentiality breach). The vulnerability does not directly enable modification or deletion of files (integrity) or denial of service (availability), but the information gained could be used as an entry point for chained attacks [2].

Mitigation

As of the available references, no patch or fixed version has been released by HSC Labs. The affected version is MailInspector 5.3.3‑7 [2]. Users should monitor vendor advisories for updates and, until a fix is available, restrict network access to the /tap/dw.php endpoint or apply virtual patching through a web application firewall (WAF). The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1], [2].