Critical Webmin Stored XSS Vulnerability Lets Untrusted Users Compromise Root-Level Access
A critical stored cross-site scripting (XSS) vulnerability has been disclosed in Webmin, the widely used web-based Unix system administration interface.
Tracked as CVE-2026-22678, the flaw enables untrusted users to silently compromise root-level accounts through maliciously crafted notification email templates, posing a severe risk to enterprise and hosting environments alike.
The vulnerability resides in Webmin’s System and Server Status module and affects all versions prior to 2.641. An untrusted Webmin user with permission to create notification email templates can inject malicious scripts that execute in the root user’s context when the template is viewed.
Critical Webmin Stored XSS Vulnerability
Because the payload is persistently stored on the server and triggered during routine administrative activity, the root account can be silently compromised without any suspicious interaction. Security researcher Wade Sparks responsibly disclosed the flaw to the Webmin team.
This attack vector is particularly dangerous in multi-tenant or enterprise environments where administrative access is delegated to less-privileged users.
Webmin confirmed that stored XSS flaws escalating to root-level access represent a critical risk, especially in hosting environments where Webmin or Virtualmin manages multiple domains with separately credentialed users.
Webmin 2.640 also addressed three additional vulnerabilities reported by Andrea Carlo Maria Dattola, Marco Ventura, and Massimiliano Brolli:
- CVE-2026-49102 – XSS via SVG Email Attachment: Opening a malicious email containing an SVG attachment can trigger an XSS attack within the Read User Mail module, potentially exposing session tokens and user data.
- CVE-2026-49103 – Email Attachment File Overwrite: Webmin fails to safely construct filenames when saving attachments in the Read User Mail module, enabling arbitrary file-overwrite attacks.
- CVE-2026-42210 / CVE-2026-56022 – 2FA Bypass via Basic Authentication: Accounts with two-factor authentication enabled can bypass the 2FA requirement entirely by using Basic HTTP authentication instead of Webmin’s standard cookie-based session login.
Additionally, a privilege escalation via the built-in Help feature, patched without a CVE assignment, allowed untrusted users to execute commands with root privileges regardless of their module-level permissions.
The 2FA bypass flaw is especially concerning. While valid credentials are still required, circumventing multi-factor authentication erodes a critical defensive layer and could facilitate credential stuffing or phishing campaigns targeting administrator accounts.
These vulnerabilities collectively expose persistent weaknesses in Webmin’s permission delegation model.
Affected and Fixed Versions
| CVE | Affected Version | Fixed Version |
|---|---|---|
| CVE-2026-22678 | Prior to 2.641 | Webmin 2.641 |
| CVE-2026-49102 | Prior to 2.640 | Webmin 2.640 |
| CVE-2026-49103 | Prior to 2.640 | Webmin 2.640 |
| CVE-2026-42210 / CVE-2026-56022 | Prior to 2.640 | Webmin 2.640 |
Administrators are strongly advised to upgrade to Webmin 2.641 immediately. Organizations running Virtualmin should also apply updates and conduct a thorough permissions audit for untrusted users, particularly those with access to notification template configuration and email modules. Restricting the delegation of template management rights until patching is complete is strongly recommended as an interim mitigation step.
No Comment! Be the first one.