CVE-2026-49103

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component

Published: 2026-05-27 · Last updated: 2026-05-27

Severity and scoring

CWE: CWE-24

Description

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49103
[Other]https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1
[Other]https://github.com/webmin/webmin/compare/2.630...2.640

Related CVEs

Same CWE

CVE-2026-22810 — Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks (8.2 HIGH)
CVE-2026-41082 — In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory (7.3 HIGH)