VYPR

Webmin

by Webmin

Source repositories

CVEs (103)

  • CVE-2003-0101Mar 3, 2003
    risk 0.04cvss epss 0.15

    miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root…

  • CVE-2001-1196Dec 17, 2001
    risk 0.04cvss epss 0.10

    Directory traversal vulnerability in edit_action.cgi of Webmin Directory 0.91 allows attackers to gain privileges via a '..' (dot dot) in the argument.

  • CVE-2024-12828Dec 30, 2024
    risk 0.03cvss epss 0.32

    Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of…

  • CVE-2019-15642Aug 26, 2019
    risk 0.03cvss epss 0.38

    rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is…

  • CVE-2002-2360Dec 31, 2002
    risk 0.03cvss epss 0.04

    The RPC module in Webmin 0.21 through 0.99, when installed without root or admin privileges, allows remote attackers to read and write to arbitrary files and execute arbitrary commands via remote_foreign_require and remote_foreign_call requests.

  • CVE-2002-1673Dec 31, 2002
    risk 0.03cvss epss 0.01

    The web interface for Webmin 0.92 does not properly quote or filter script code in files that are displayed to the interface, which allows local users to execute script and possibly steal cookies by inserting the script into certain files or fields, such as a real user name…

  • CVE-2021-32157Apr 11, 2022
    risk 0.02cvss epss 0.04

    A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.

  • CVE-2021-31760Apr 25, 2021
    risk 0.02cvss epss 0.09

    Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.

  • CVE-2021-32162Apr 11, 2022
    risk 0.01cvss epss 0.03

    A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature.

  • CVE-2021-32161Apr 11, 2022
    risk 0.01cvss epss 0.02

    A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature.

  • CVE-2021-32160Apr 11, 2022
    risk 0.01cvss epss 0.02

    A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the Add Users feature.

  • CVE-2021-32159Apr 11, 2022
    risk 0.01cvss epss 0.02

    A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature.

  • CVE-2021-32158Apr 11, 2022
    risk 0.01cvss epss 0.02

    A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Upload and Download feature.

  • CVE-2021-32156Apr 11, 2022
    risk 0.01cvss epss 0.02

    A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.

  • CVE-2012-2982Sep 11, 2012
    risk 0.01cvss epss 0.62

    file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.

  • CVE-2005-3912Nov 30, 2005
    risk 0.01cvss epss 0.14

    Format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled, allows remote attackers to cause a denial of service (crash or memory consumption) and possibly execute arbitrary code via format string…

  • CVE-2026-56020Jun 18, 2026
    risk 0.00cvss epss 0.00

    The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.

  • CVE-2026-56021Jun 18, 2026
    risk 0.00cvss epss 0.00

    Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.

  • CVE-2026-56022Jun 18, 2026
    risk 0.00cvss epss 0.00

    Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.

  • CVE-2025-61541Oct 16, 2025
    risk 0.00cvss epss 0.00

    Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain…

Page 2 of 6