VYPR
← All advisories
Critical severityNVD Advisory· Published May 27, 2026

CVE-2026-49103

CVE-2026-49103

Description

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Webmin before 2.640 unsafely constructs attachment filenames in mailboxes/detachall.cgi, leading to potential XSS or arbitrary file write.

Vulnerability

Webmin versions prior to 2.640 contain a vulnerability in the mailboxes component, specifically in mailboxes/detachall.cgi, where attachment filenames are not safely constructed. The code uses the filename from the attachment without sanitization, allowing characters such as newlines, null bytes, and backslashes to appear in the filename. Additionally, SVG attachments are served with their original Content-Type (e.g., image/svg+xml), which can execute scripts when rendered in a browser. The vulnerability affects Webmin before 2.640 [1].

Exploitation

An attacker can send an email with a crafted attachment to a Webmin user. When the user attempts to view or save the attachment, the unsanitized filename can be used to perform a cross-site scripting (XSS) attack if the attachment is displayed inline (e.g., SVG), or to write a file with an arbitrary name and path via path traversal sequences in the filename. The attacker only needs to send an email to the target user; no Webmin authentication is required [2].

Impact

Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of the Webmin session (XSS), potentially leading to session hijacking or administrative actions. Alternatively, if the attachment is saved, an attacker could write a file to an arbitrary location on the server, such as a malicious CGI script, leading to remote code execution with the privileges of the Webmin server [2].

Mitigation

Upgrade to Webmin 2.640 or later, which was released on 2026-05-27. The fix sanitizes attachment filenames by removing dangerous characters and path traversal elements, and forces SVG attachments to be served as text/plain to prevent script execution. No workarounds are available; administrators should update immediately. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication [1][2].

References
  1. Comparing 2.630...2.640 · webmin/webmin
  2. Fix unsafe mailbox attachment handling · webmin/webmin@cf43287

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Webmin/Webminreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.640

Patches

1
cf432879a145

Fix unsafe mailbox attachment handling

https://github.com/webmin/webminIlia RossApr 23, 2026via nvd-ref
commit
2 files changed · +20 2
  • mailboxes/detachall.cgi+5 0 modified
    @@ -37,6 +37,11 @@ foreach $a (@attach) {
 	else {
 		$fn = "file".(++$n).".".&type_to_extension($a->{'type'});
 		}
+	$fn =~ s/[\r\n\0]//g;
+	$fn =~ s/\\/\//g;
+	$fn =~ s/^.*\///g;
+	$fn =~ /^\.+$/ && ($fn = "");
+	$fn ||= "file".(++$n);
 
 	# Write the file
 	&open_tempfile(FILE, ">$temp/$fn", 0, 1);
  • mailboxes/detach.cgi+15 2 modified
    @@ -68,8 +68,21 @@ if ($in{'scale'}) {
 else {
 	# Just output the attachment
 	print "X-no-links: 1\n";
+	$fn = $attach->{'filename'} ? &decode_mimewords($attach->{'filename'})
+				    : "attachment";
+	$fn =~ s/[\r\n\0"\\\/]//g;
+	$fn ||= "attachment";
 	@download = split(/\t+/, $config{'download'});
-	if ($in{'type'}) {
+	if ($attach->{'type'} =~ /^image\/svg(\+xml)?/i ||
+	    $in{'type'} =~ /^image\/svg(\+xml)?/i ||
+	    $fn =~ /\.svgz?$/i) {
+		# SVG can execute scripts when served from the Webmin origin.
+		print "Content-Disposition: Attachment; filename=\"$fn\"\n"
+			if ($in{'save'});
+		print "Content-type: text/plain\n\n";
+		print $attach->{'data'};
+		}
+	elsif ($in{'type'}) {
                 # Display as a specific MIME type
                 print "Content-type: $in{'type'}\n\n";
                 print $attach->{'data'};
@@ -78,7 +91,7 @@ else {
 		# Auto-detect type
                 if ($in{'save'}) {
                         # Force download
-                        print "Content-Disposition: Attachment; filename=\"$attach->{'filename'}\"\n";
+                        print "Content-Disposition: Attachment; filename=\"$fn\"\n";
                         }
                 if ($attach->{'type'} eq 'message/delivery-status') {
                         print "Content-type: text/plain\n\n";

Vulnerability mechanics

Root cause

"Missing sanitization of attachment filenames in mailboxes/detachall.cgi allows directory traversal and arbitrary file write."

Attack vector

An attacker sends an email with a crafted attachment filename containing path traversal sequences (e.g., `../`) or null bytes. When the victim uses the "detach all" feature in Webmin's mailboxes component, the unsanitized filename is used directly in a file write operation (`&open_tempfile(FILE, ">$temp/$fn", 0, 1)`) [patch_id=2691349]. This allows writing files outside the intended temporary directory, potentially overwriting Webmin configuration or executable files. The attacker needs only the ability to send an email to a Webmin mailbox user who then triggers the detach-all action.

Affected code

The vulnerable code is in `mailboxes/detachall.cgi` where attachment filenames from email messages are used directly in a file write operation without sanitization. The patch modifies the `foreach $a (@attach)` loop to sanitize the `$fn` variable before calling `&open_tempfile(FILE, ">$temp/$fn", 0, 1)` [patch_id=2691349]. A related but separate fix in `mailboxes/detach.cgi` addresses SVG content-type handling and filename sanitization for single-attachment downloads.

What the fix does

The patch adds four sanitization steps to `mailboxes/detachall.cgi` before the filename is used in file operations [patch_id=2691349]. It strips carriage returns, newlines, and null bytes (`s/[\r\n\0]//g`), converts backslashes to forward slashes (`s/\\/\//g`), removes any leading directory path components (`s/^.*\///g`), and rejects filenames consisting only of dots (`/^\.+$/ && ($fn = "")`). A fallback default filename is assigned if the result is empty (`$fn ||= "file".(++$n)`). These changes prevent directory traversal and null-byte injection attacks.

Preconditions

  • inputAttacker must be able to send an email with a crafted attachment filename to a Webmin mailbox user.
  • authVictim must be an authenticated Webmin user with access to the mailboxes component.
  • networkNetwork access to the Webmin server is required for the attacker to deliver the malicious email.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.