Critical Stored XSS Vulnerability in Webmin Exposes Systems to Privilege Escalation
A newly disclosed stored cross-site scripting (XSS) vulnerability in Webmin, tracked as CVE-2026-22678, allows attackers with limited privileges to compromise root users on affected systems. The flaw resides in the System and Server Status module, a core component used for monitoring and alert management in Webmin versions prior to 2.641.
The vulnerability stems from improper input sanitization in notification email templates. An authenticated but untrusted Webmin user with permissions to create or modify these templates can inject malicious JavaScript payloads. When a privileged user including root views the altered template, the script executes in their browser, enabling a stored XSS attack.
Unlike reflected XSS, this exploit is persistent, meaning the payload remains embedded in the server and triggers whenever a privileged user accesses the affected module. Successful exploitation could lead to session hijacking, credential theft, or unauthorized administrative actions, effectively granting attackers full system control under the context of a root session. Real-world risks include system compromise, data exfiltration, and lateral movement within networks.
Security researcher Wade Sparks discovered and reported the flaw, which was acknowledged by the Webmin development team in an April 25, 2024 advisory. A patch was released in Webmin 2.641, addressing the vulnerability. Organizations running affected versions are urged to upgrade immediately and audit existing templates for suspicious scripts. Additional mitigations include restricting template modification permissions and deploying web application firewalls (WAFs) to block injection attempts.
The incident underscores the high-risk nature of stored XSS vulnerabilities in administrative tools, particularly those managing Unix-based systems. As threat actors increasingly target management interfaces, secure coding practices and least-privilege access controls remain critical defenses.
Source: https://gbhackers.com/webmin-stored-xss-vulnerability/
ServerManagementPlus cybersecurity rating report: https://www.rankiteo.com/company/servermanagementplus
"id": "SER1782296799",
"linkid": "servermanagementplus",
"type": "Vulnerability",
"date": "4/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'IT/Software',
'name': 'Webmin',
'type': 'Software'}],
'attack_vector': 'Authenticated user with template modification permissions '
'injects malicious JavaScript into notification email '
'templates',
'date_publicly_disclosed': '2024-04-25',
'description': 'A newly disclosed stored cross-site scripting (XSS) '
'vulnerability in Webmin, tracked as CVE-2026-22678, allows '
'attackers with limited privileges to compromise root users on '
'affected systems. The flaw resides in the System and Server '
'Status module, a core component used for monitoring and alert '
'management in Webmin versions prior to 2.641. The '
'vulnerability stems from improper input sanitization in '
'notification email templates, enabling persistent XSS attacks '
'that could lead to session hijacking, credential theft, or '
'unauthorized administrative actions.',
'impact': {'identity_theft_risk': 'Credential theft risk',
'operational_impact': 'Full system control under root context, '
'potential lateral movement within networks',
'systems_affected': 'Webmin versions prior to 2.641'},
'lessons_learned': 'The incident underscores the high-risk nature of stored '
'XSS vulnerabilities in administrative tools, particularly '
'those managing Unix-based systems. Secure coding '
'practices and least-privilege access controls are '
'critical defenses.',
'post_incident_analysis': {'corrective_actions': 'Patch released in Webmin '
'2.641, recommended WAF '
'deployment, and permission '
'restrictions',
'root_causes': 'Improper input sanitization in '
'notification email templates'},
'recommendations': 'Upgrade to Webmin 2.641 immediately, restrict template '
'modification permissions, deploy web application '
'firewalls (WAFs), and audit existing templates for '
'suspicious scripts.',
'references': [{'source': 'Webmin Development Team Advisory'},
{'source': 'Security Researcher Wade Sparks'}],
'response': {'adaptive_behavioral_waf': 'Recommended deployment of web '
'application firewalls (WAFs) to '
'block injection attempts',
'communication_strategy': 'Public advisory issued on April 25, '
'2024',
'containment_measures': 'Upgrade to Webmin 2.641, audit existing '
'templates for suspicious scripts',
'remediation_measures': 'Patch released in Webmin 2.641'},
'title': 'Critical Stored XSS Vulnerability in Webmin Exposes Systems to '
'Privilege Escalation',
'type': 'Stored Cross-Site Scripting (XSS)',
'vulnerability_exploited': 'CVE-2026-22678'}