Webmin
by Webmin
Source repositories
CVEs (103)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2003-0101 | 0.04 | — | 0.15 | Mar 3, 2003 | miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root… | |||
| CVE-2001-1196 | 0.04 | — | 0.10 | Dec 17, 2001 | Directory traversal vulnerability in edit_action.cgi of Webmin Directory 0.91 allows attackers to gain privileges via a '..' (dot dot) in the argument. | |||
| CVE-2024-12828 | 0.03 | — | 0.32 | Dec 30, 2024 | Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of… | |||
| CVE-2019-15642 | 0.03 | — | 0.38 | Aug 26, 2019 | rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is… | |||
| CVE-2002-2360 | 0.03 | — | 0.04 | Dec 31, 2002 | The RPC module in Webmin 0.21 through 0.99, when installed without root or admin privileges, allows remote attackers to read and write to arbitrary files and execute arbitrary commands via remote_foreign_require and remote_foreign_call requests. | |||
| CVE-2002-1673 | 0.03 | — | 0.01 | Dec 31, 2002 | The web interface for Webmin 0.92 does not properly quote or filter script code in files that are displayed to the interface, which allows local users to execute script and possibly steal cookies by inserting the script into certain files or fields, such as a real user name… | |||
| CVE-2021-32157 | 0.02 | — | 0.04 | Apr 11, 2022 | A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature. | |||
| CVE-2021-31760 | 0.02 | — | 0.09 | Apr 25, 2021 | Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature. | |||
| CVE-2021-32162 | 0.01 | — | 0.03 | Apr 11, 2022 | A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature. | |||
| CVE-2021-32161 | 0.01 | — | 0.02 | Apr 11, 2022 | A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature. | |||
| CVE-2021-32160 | 0.01 | — | 0.02 | Apr 11, 2022 | A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the Add Users feature. | |||
| CVE-2021-32159 | 0.01 | — | 0.02 | Apr 11, 2022 | A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature. | |||
| CVE-2021-32158 | 0.01 | — | 0.02 | Apr 11, 2022 | A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Upload and Download feature. | |||
| CVE-2021-32156 | 0.01 | — | 0.02 | Apr 11, 2022 | A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature. | |||
| CVE-2012-2982 | 0.01 | — | 0.62 | Sep 11, 2012 | file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character. | |||
| CVE-2005-3912 | 0.01 | — | 0.14 | Nov 30, 2005 | Format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled, allows remote attackers to cause a denial of service (crash or memory consumption) and possibly execute arbitrary code via format string… | |||
| CVE-2026-56020 | 0.00 | — | 0.00 | Jun 18, 2026 | The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641. | |||
| CVE-2026-56021 | 0.00 | — | 0.00 | Jun 18, 2026 | Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern. | |||
| CVE-2026-56022 | 0.00 | — | 0.00 | Jun 18, 2026 | Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641. | |||
| CVE-2025-61541 | 0.00 | — | 0.00 | Oct 16, 2025 | Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain… |
- CVE-2003-0101Mar 3, 2003risk 0.04cvss —epss 0.15
miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root…
- CVE-2001-1196Dec 17, 2001risk 0.04cvss —epss 0.10
Directory traversal vulnerability in edit_action.cgi of Webmin Directory 0.91 allows attackers to gain privileges via a '..' (dot dot) in the argument.
- CVE-2024-12828Dec 30, 2024risk 0.03cvss —epss 0.32
Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of…
- CVE-2019-15642Aug 26, 2019risk 0.03cvss —epss 0.38
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is…
- CVE-2002-2360Dec 31, 2002risk 0.03cvss —epss 0.04
The RPC module in Webmin 0.21 through 0.99, when installed without root or admin privileges, allows remote attackers to read and write to arbitrary files and execute arbitrary commands via remote_foreign_require and remote_foreign_call requests.
- CVE-2002-1673Dec 31, 2002risk 0.03cvss —epss 0.01
The web interface for Webmin 0.92 does not properly quote or filter script code in files that are displayed to the interface, which allows local users to execute script and possibly steal cookies by inserting the script into certain files or fields, such as a real user name…
- CVE-2021-32157Apr 11, 2022risk 0.02cvss —epss 0.04
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
- CVE-2021-31760Apr 25, 2021risk 0.02cvss —epss 0.09
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.
- CVE-2021-32162Apr 11, 2022risk 0.01cvss —epss 0.03
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature.
- CVE-2021-32161Apr 11, 2022risk 0.01cvss —epss 0.02
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature.
- CVE-2021-32160Apr 11, 2022risk 0.01cvss —epss 0.02
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the Add Users feature.
- CVE-2021-32159Apr 11, 2022risk 0.01cvss —epss 0.02
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature.
- CVE-2021-32158Apr 11, 2022risk 0.01cvss —epss 0.02
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Upload and Download feature.
- CVE-2021-32156Apr 11, 2022risk 0.01cvss —epss 0.02
A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
- CVE-2012-2982Sep 11, 2012risk 0.01cvss —epss 0.62
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.
- CVE-2005-3912Nov 30, 2005risk 0.01cvss —epss 0.14
Format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled, allows remote attackers to cause a denial of service (crash or memory consumption) and possibly execute arbitrary code via format string…
- CVE-2026-56020Jun 18, 2026risk 0.00cvss —epss 0.00
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.
- CVE-2026-56021Jun 18, 2026risk 0.00cvss —epss 0.00
Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.
- CVE-2026-56022Jun 18, 2026risk 0.00cvss —epss 0.00
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.
- CVE-2025-61541Oct 16, 2025risk 0.00cvss —epss 0.00
Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain…
Page 2 of 6