CVE-2026-22678

Severity CVSS v4.0:
MEDIUM
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
21/05/2026
Last modified:
26/05/2026

Description

Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:* 2.641 (excluding)