VYPR
← All advisories
Medium severity6.1NVD Advisory· Published May 27, 2026

CVE-2026-49102

CVE-2026-49102

Description

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Webmin before 2.640 allows XSS via SVG attachment in mailboxes/detach.cgi due to unsafe MIME type handling.

Vulnerability

Webmin versions prior to 2.640 contain a stored cross-site scripting (XSS) vulnerability in the mailboxes/detach.cgi endpoint. The bug occurs when an email attachment with an SVG image (MIME type image/svg+xml) is viewed through the mailboxes component. The vulnerable code serves the SVG content with the original MIME type image/svg+xml instead of a safe type such as text/plain, allowing scripts embedded in the SVG to execute in the context of the Webmin origin. The fix in commit cf432879a14568c4bb44cd2f9e5a9bd0e168edc1 addresses the issue for all versions up to 2.630 [1][2].

Exploitation

An attacker must be able to send or upload an email containing an SVG attachment to a Webmin user's mailbox. When the victim views the attachment via the mailboxes component (specifically detach.cgi), the SVG is rendered by the browser with its original MIME type, allowing any JavaScript embedded in the SVG to execute. No special network position or authentication beyond a valid Webmin session is required, as the attack originates from a trusted Webmin origin [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's Webmin session. This can lead to session hijacking, credential theft, or other actions that the victim user can perform within Webmin. The vulnerability is classified as medium severity (CVSS 6.1) and primarily affects confidentiality and integrity through cross-site scripting [1][2].

Mitigation

The vulnerability is fixed in Webmin version 2.640, released on or around May 27, 2026. Users should upgrade to Webmin 2.640 or later as soon as possible. The fix disallows serving SVG files with their original MIME type; instead, SVG attachments are forced to be downloaded as text/plain or with a Content-Disposition: Attachment header, preventing script execution. No workaround is documented other than upgrading. The issue is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].

References
  1. Comparing 2.630...2.640 · webmin/webmin
  2. Fix unsafe mailbox attachment handling · webmin/webmin@cf43287

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Webmin/Webminreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.640

Patches

1
cf432879a145

Fix unsafe mailbox attachment handling

https://github.com/webmin/webminIlia RossApr 23, 2026via nvd-ref
commit
2 files changed · +20 2
  • mailboxes/detachall.cgi+5 0 modified
    @@ -37,6 +37,11 @@ foreach $a (@attach) {
 	else {
 		$fn = "file".(++$n).".".&type_to_extension($a->{'type'});
 		}
+	$fn =~ s/[\r\n\0]//g;
+	$fn =~ s/\\/\//g;
+	$fn =~ s/^.*\///g;
+	$fn =~ /^\.+$/ && ($fn = "");
+	$fn ||= "file".(++$n);
 
 	# Write the file
 	&open_tempfile(FILE, ">$temp/$fn", 0, 1);
  • mailboxes/detach.cgi+15 2 modified
    @@ -68,8 +68,21 @@ if ($in{'scale'}) {
 else {
 	# Just output the attachment
 	print "X-no-links: 1\n";
+	$fn = $attach->{'filename'} ? &decode_mimewords($attach->{'filename'})
+				    : "attachment";
+	$fn =~ s/[\r\n\0"\\\/]//g;
+	$fn ||= "attachment";
 	@download = split(/\t+/, $config{'download'});
-	if ($in{'type'}) {
+	if ($attach->{'type'} =~ /^image\/svg(\+xml)?/i ||
+	    $in{'type'} =~ /^image\/svg(\+xml)?/i ||
+	    $fn =~ /\.svgz?$/i) {
+		# SVG can execute scripts when served from the Webmin origin.
+		print "Content-Disposition: Attachment; filename=\"$fn\"\n"
+			if ($in{'save'});
+		print "Content-type: text/plain\n\n";
+		print $attach->{'data'};
+		}
+	elsif ($in{'type'}) {
                 # Display as a specific MIME type
                 print "Content-type: $in{'type'}\n\n";
                 print $attach->{'data'};
@@ -78,7 +91,7 @@ else {
 		# Auto-detect type
                 if ($in{'save'}) {
                         # Force download
-                        print "Content-Disposition: Attachment; filename=\"$attach->{'filename'}\"\n";
+                        print "Content-Disposition: Attachment; filename=\"$fn\"\n";
                         }
                 if ($attach->{'type'} eq 'message/delivery-status') {
                         print "Content-type: text/plain\n\n";

Vulnerability mechanics

Root cause

"Missing content-type sanitization allows SVG attachments to be served with their native image/svg+xml MIME type, enabling script execution in the browser."

Attack vector

An attacker sends an email to a Webmin user with an SVG attachment containing embedded JavaScript. When the victim views the attachment via the mailboxes component (detach.cgi), the script executes in the Webmin origin because the attachment is served with its original image/svg+xml content type [patch_id=2691350]. The attacker needs no authentication; the victim must only click the attachment link while logged into Webmin (CVSS: AV:N/AC:L/PR:N/UI:R).

Affected code

The vulnerable code is in `mailboxes/detach.cgi` (lines ~68-91) where attachment content is served. The `mailboxes/detachall.cgi` file also receives a filename sanitization fix [patch_id=2691350].

What the fix does

The patch adds a check in detach.cgi that detects SVG files by MIME type (`image/svg` or `image/svg+xml`) or by filename extension (`.svg` or `.svgz`). When an SVG is detected, the response is forced to `Content-type: text/plain` and a `Content-Disposition: Attachment` header is added, preventing the browser from rendering the SVG as an active document [patch_id=2691350]. Additionally, the filename variable `$fn` is sanitized to strip dangerous characters (`\r`, `\n`, `\0`, `"`, `\`, `/`) and defaults to `"attachment"` if empty. A parallel fix in detachall.cgi sanitizes filenames used when writing attachments to disk, removing newlines, null bytes, and path traversal sequences.

Preconditions

  • authVictim must be logged into Webmin and click the SVG attachment link in the mailboxes component
  • inputAttacker must be able to send an email with an SVG attachment to the Webmin user's mailbox
  • networkNetwork access to the Webmin server is required

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.