CVE-2022-36446

CRITICAL NUCLEI

Webmin < 1.997 - Remote Code Execution via Unescaped UI Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2022-36446. PoCs published by Emir Polat, p0dalirius, emirpolatt, including Metasploit module exploits/linux/http/webmin_package_updates_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets CVE-2022-36446 in Webmin versions < 1.997, leveraging authenticated RCE via command injection in the package-updates module. It establishes a reverse shell by injecting a Python payload into the 'u' parameter.

Description

software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

Exploits (5)

exploitdb WORKING POC
by Emir Polat · pythonwebappslinux
https://www.exploit-db.com/exploits/50998

This exploit targets CVE-2022-36446 in Webmin versions < 1.997, leveraging authenticated RCE via command injection in the package-updates module. It establishes a reverse shell by injecting a Python payload into the 'u' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Webmin < 1.997
Auth required
Prerequisites: Valid Webmin credentials · Access to the 'Software Package Updates' module · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 116 stars
by p0dalirius · poc
https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE

This repository contains a functional Python exploit for CVE-2022-36446, an authenticated RCE vulnerability in Webmin's Software Package Updates feature. The exploit leverages command injection via the 'u' parameter in the update.cgi endpoint to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Webmin < 1.997
Auth required
Prerequisites: Valid Webmin credentials · Access to the Software Package Updates module
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by emirpolatt · poc
https://github.com/emirpolatt/CVE-2022-36446

This repository contains a functional Python exploit for CVE-2022-36446, demonstrating authenticated remote code execution in Webmin versions < 1.997 via command injection in the 'Software Package Updates' module. The exploit includes a reverse shell payload and detailed HTTP request formatting.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Webmin < 1.997
Auth required
Prerequisites: Valid Webmin credentials · Access to 'Software Package Updates' module
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Kang3639 · poc
https://github.com/Kang3639/CVE-2022-36446

This repository contains a functional Python exploit for CVE-2022-36446, an authenticated remote code execution vulnerability in Webmin versions prior to 1.997. The exploit leverages command injection in the Software Package Updates feature to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Webmin < 1.997
Auth required
Prerequisites: Valid Webmin credentials · Access to the Software Package Updates module
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Christophe De La Fuente, Emir Polat · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webmin_package_updates_rce.rb

This Metasploit module exploits a command injection vulnerability in Webmin's package update functionality (CVE-2022-36446) by injecting arbitrary commands via the 'u' parameter in the update.cgi endpoint. It supports multiple payload types and requires authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Webmin < 1.997
Auth required
Prerequisites: Valid Webmin credentials · Access to the Software Package Updates module
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Webmin <1.997 - Authenticated Remote Code Execution
CRITICALby gy741
Shodan: title:"Webmin" || http.title:"webmin"
FOFA: title="webmin"

References (6)

Core 6
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/webmin/webmin/compare/1.996...1.997
Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50998
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919b
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.html

Scores

CVSS v3 9.8
EPSS 0.9605
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-116
Status published
Products (1)
webmin/webmin < 1.997
Published Jul 25, 2022
Tracked Since Feb 18, 2026