CVE-2026-29964

Vulnerability

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the endpoint /tap/tap.php (or /mailinspector/tap/tap.php). The application reflects user-supplied input without proper output encoding and fails to neutralize alternate or obfuscated JavaScript syntax, allowing arbitrary script injection [1][2]. This flaw is classified under CWE-87 (Improper Neutralization of Alternate XSS Syntax).

Exploitation

An attacker can craft a malicious URL containing obfuscated JavaScript payloads and trick a victim into clicking it (user interaction required). No authentication or special network position is needed beyond standard web access [2]. The attacker does not need to be logged in; the XSS is reflected in the HTTP response returned to the victim's browser.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the MailInspector application context. This can lead to session token theft, session hijacking, content manipulation, phishing attacks, and potential privilege escalation if an administrator's session is compromised [2]. The CVSS v3.1 score of 8.2 (High) in the reference reflects High confidentiality and integrity impact with a changed scope [2].

Mitigation

As of this disclosure, no official patch or fixed version has been announced by HSC Labs. The vendor advisory page [1] does not mention remediation. Users should monitor the vendor's update channels for a security fix and, in the interim, consider applying a Web Application Firewall (WAF) rule to block reflected XSS patterns in the /tap/tap.php endpoint or limiting access to the MailInspector interface to trusted networks.