CVE-2026-22678

MEDIUM 5.4

Webmin < 2.641 Stored XSS via System and Server Status

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

10th

Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi.

CWE	CWE-79
Vendor	webmin
Product	webmin
Published	May 21, 2026
Last Updated	May 25, 2026

Stay Ahead of the Next One

Get instant alerts for webmin webmin

Be the first to know when new medium vulnerabilities affecting webmin webmin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Webmin / Webmin

0 < 2.641

References

NVD ↗ CVE.org ↗ EPSS Data ↗

webmin.com: https://webmin.com/changelog/webmin-2.641-released/ vulncheck.com: https://www.vulncheck.com/advisories/webmin-stored-xss-via-system-and-server-status

Credits

Hamed Kohi (@0xHamy) VulnCheck