CVE-2026-49102: Webmin XSS Vulnerability

CVE-2026-49102 Overview

CVE-2026-49102 is a stored cross-site scripting (XSS) vulnerability in Webmin versions before 2.640. The flaw exists in the mailboxes/detach.cgi endpoint, which serves email attachments with the image/svg+xml MIME type instead of a safe content type such as text/plain. An attacker can embed JavaScript inside a Scalable Vector Graphics (SVG) document, deliver it as an email attachment, and trigger script execution when a Webmin user views the attachment through the mailboxes component. The vulnerability is tracked under CWE-79.

Critical Impact

Authenticated Webmin administrators viewing a malicious SVG attachment execute attacker-controlled JavaScript in the Webmin origin, enabling session theft and administrative action hijacking.

Affected Products

• Webmin versions prior to 2.640
• Webmin mailboxes module (detach.cgi)
• Deployments handling untrusted email attachments through Webmin

Discovery Timeline

• 2026-05-27 - CVE-2026-49102 published to the National Vulnerability Database (NVD)
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-49102

Vulnerability Analysis

Webmin is a web-based system administration interface for Unix-like servers. The mailboxes module allows administrators to read mailbox contents directly through the Webmin console, including viewing message attachments inline.

When a user opens an attachment, mailboxes/detach.cgi returns the file with the original MIME type, including image/svg+xml for SVG files. Browsers parse SVG as an XML document and execute embedded <script> elements or event handlers within the response origin. Because the attachment is served from the Webmin host, the script runs in the same origin as the authenticated Webmin session.

The attacker requires no privileges on the target system. User interaction is required because an administrator must open the attachment, which aligns with typical email triage workflows.

Root Cause

The root cause is unsafe content type selection in the attachment download handler. Instead of forcing a neutral MIME type such as text/plain or application/octet-stream for user-supplied attachments, detach.cgi honored the SVG MIME type. SVG documents support scripting, so trusting the attacker-controlled type allowed scripts to execute. The fix changes the served content type for SVG attachments to a non-executable type. See the upstream commit and the 2.630 to 2.640 diff.

Attack Vector

An attacker crafts an SVG file containing JavaScript inside a <script> element or an event handler such as onload. The attacker emails the SVG as an attachment to a mailbox managed through Webmin. When the administrator clicks the attachment in the mailboxes interface, detach.cgi serves the file as image/svg+xml, and the browser executes the embedded script in the Webmin origin. The script can read session cookies that are not HttpOnly, issue authenticated requests to Webmin endpoints, or pivot to other administrative actions.

Verified exploit code is not available in the referenced sources. Refer to the upstream commit linked above for the precise code-level change.

Detection Methods for CVE-2026-49102

Indicators of Compromise

• Email attachments with .svg extensions or Content-Type: image/svg+xml headers delivered to mailboxes accessed through Webmin
• HTTP responses from mailboxes/detach.cgi with the image/svg+xml content type
• Outbound HTTP requests from administrator browsers to unexpected hosts shortly after viewing a mailbox attachment

Detection Strategies

• Inspect web server and Webmin access logs for GET requests to /mailboxes/detach.cgi correlated with administrator sessions
• Scan inbound mail flows for SVG attachments containing <script>, onload, onerror, or javascript: URIs
• Compare the installed Webmin version against 2.640 on all managed hosts to identify unpatched systems

Monitoring Recommendations

• Alert on browser sessions where Webmin administrative endpoints are invoked from unusual referrers immediately after attachment downloads
• Forward Webmin and reverse-proxy logs to a centralized analytics platform for correlation with mail gateway telemetry
• Track creation of new Webmin users, ACL changes, or scheduled commands following mailbox attachment access events

How to Mitigate CVE-2026-49102

Immediate Actions Required

• Upgrade Webmin to version 2.640 or later on every host running the mailboxes module
• Instruct administrators to avoid opening SVG attachments from untrusted senders until patching is complete
• Review recent mailbox activity for SVG attachments delivered before the upgrade

Patch Information

Webmin 2.640 ships the fix that changes how SVG attachments are served by mailboxes/detach.cgi. The change is included in the GitHub commit cf432879 and the 2.630 to 2.640 release comparison. Apply the upstream release rather than backporting manually to ensure all related changes are included.

Workarounds

• Disable the Webmin mailboxes module on hosts that do not require it
• Place Webmin behind a reverse proxy that rewrites the Content-Type of /mailboxes/detach.cgi responses to text/plain or application/octet-stream
• Enforce a strict Content-Security-Policy header on Webmin responses to block inline script execution in served documents

# Example nginx override to neutralize SVG attachments served by Webmin
location /mailboxes/detach.cgi {
    proxy_pass https://webmin-backend:10000;
    proxy_hide_header Content-Type;
    add_header Content-Type "application/octet-stream" always;
    add_header Content-Disposition "attachment" always;
    add_header Content-Security-Policy "default-src 'none'; sandbox" always;
}