CVE-2026-22678
MEDIUMWebmin < 2.641 Stored XSS via System and Server Status
Title source: cnaDescription
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi.
References (2)
Core 2
Core References
Patch release-notes
patch
https://webmin.com/changelog/webmin-2.641-released/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/webmin-stored-xss-via-system-and-server-status
Scores
CVSS v3
5.4
EPSS
0.0017
EPSS Percentile
6.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
Webmin/Webmin
< 2.641
webmin/webmin
< 2.641
Published
May 21, 2026
Tracked Since
May 22, 2026