CVE-2026-29965

Vulnerability

HSC MailInspector version 5.3.3-7 suffers from a Cross-Site Scripting (XSS) vulnerability in the /police/WarningUrlPage.php endpoint. The software fails to properly neutralize user-supplied input, allowing attackers to inject arbitrary JavaScript code using alternate or obfuscated syntax. This issue is classified under CWE-87: Improper Neutralization of Alternate XSS Syntax [2].

Exploitation

An unauthenticated attacker can craft a malicious URL containing obfuscated JavaScript and deliver it to a victim, typically via phishing or social engineering. No special network position or authentication is required; the attack vector is network-based and requires user interaction (the victim must click the crafted link). When the victim accesses the URL, the injected script executes in the context of the MailInspector application in their browser [1][2].

Impact

Successful exploitation allows an attacker to perform a range of malicious actions, including credential theft, session hijacking, injection of fraudulent content, and manipulation of the user interface. The impact is amplified because the application is a security gateway that handles sensitive email data, potentially exposing internal communications and allowing further compromise of the email infrastructure [1][2].

Mitigation

As of the publication date, no official patch has been released by HSC Labs. The vendor's product page does not mention a fixed version [1]. Users should restrict access to the vulnerable endpoint through web application firewall (WAF) rules or input validation proxies as a temporary workaround. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.