Critical Webmin Vulnerabilities Expose Root Access and Bypass 2FA
A critical stored cross-site scripting (XSS) vulnerability in Webmin, the popular web-based Unix system administration tool, has been disclosed, allowing untrusted users to compromise root-level accounts through malicious notification email templates. Tracked as CVE-2026-22678, the flaw affects all Webmin versions prior to 2.641 and resides in the System and Server Status module.
The vulnerability enables attackers with permission to create email templates to inject malicious scripts that execute with root privileges when viewed. This poses a severe risk in multi-tenant or enterprise environments, where administrative access is often delegated to less-privileged users. Since the payload is stored on the server, root accounts can be silently compromised during routine administrative tasks without requiring direct interaction.
Security researcher Wade Sparks responsibly disclosed the flaw, which was patched in Webmin 2.641. The update also addressed three additional vulnerabilities reported by Andrea Carlo Maria Dattola, Marco Ventura, and Massimiliano Brolli:
- CVE-2026-49102 – XSS via SVG email attachments in the Read User Mail module, potentially exposing session tokens and user data.
- CVE-2026-49103 – Arbitrary file overwrite in the Read User Mail module due to unsafe filename handling.
- CVE-2026-42210 / CVE-2026-56022 – 2FA bypass via Basic HTTP authentication, allowing attackers to circumvent multi-factor authentication with only valid credentials.
An additional privilege escalation flaw in Webmin’s Help feature, which allowed untrusted users to execute root-level commands regardless of permissions, was also patched without a CVE assignment.
The vulnerabilities highlight systemic risks in Webmin’s permission delegation model, particularly in hosting environments where Webmin or Virtualmin manages multiple domains with separate user credentials. The 2FA bypass flaw is especially concerning, as it weakens a critical security layer and could facilitate credential stuffing or phishing attacks against administrators.
Affected and Fixed Versions:
- CVE-2026-22678 – Fixed in Webmin 2.641
- CVE-2026-49102, CVE-2026-49103, CVE-2026-42210 / CVE-2026-56022 – Fixed in Webmin 2.640
Administrators are urged to upgrade immediately to mitigate these risks.
Source: https://cyberpress.org/critical-webmin-stored-xss-vulnerability/
Virtualmin cybersecurity rating report: https://www.rankiteo.com/company/virtualmin
ServerManagementPlus cybersecurity rating report: https://www.rankiteo.com/company/servermanagementplus
"id": "VIRSER1782304191",
"linkid": "virtualmin, servermanagementplus",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of Webmin versions prior '
'to 2.641 and 2.640, '
'particularly in hosting and '
'enterprise environments',
'industry': 'IT/System Administration',
'name': 'Webmin',
'type': 'Software'}],
'attack_vector': ['Malicious email templates',
'SVG email attachments',
'Basic HTTP authentication'],
'customer_advisories': 'Administrators are urged to upgrade immediately to '
'mitigate risks.',
'data_breach': {'file_types_exposed': ['Email templates', 'SVG attachments'],
'personally_identifiable_information': 'Potentially exposed',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Session tokens',
'User data',
'Personally identifiable '
'information']},
'description': 'A critical stored cross-site scripting (XSS) vulnerability in '
'Webmin, the popular web-based Unix system administration '
'tool, has been disclosed, allowing untrusted users to '
'compromise root-level accounts through malicious notification '
'email templates. The vulnerabilities also include XSS via SVG '
'email attachments, arbitrary file overwrite, and a 2FA bypass '
'via Basic HTTP authentication, posing severe risks in '
'multi-tenant or enterprise environments.',
'impact': {'brand_reputation_impact': 'Severe risk in multi-tenant or '
'enterprise environments',
'data_compromised': ['Session tokens',
'User data',
'Personally identifiable information'],
'identity_theft_risk': 'High',
'operational_impact': 'Root-level account compromise, potential '
'unauthorized system administration',
'systems_affected': ['Webmin versions prior to 2.641',
'Webmin versions prior to 2.640']},
'lessons_learned': 'Systemic risks in Webmin’s permission delegation model, '
'particularly in hosting environments. Importance of '
'patching critical vulnerabilities promptly.',
'post_incident_analysis': {'corrective_actions': 'Patch vulnerabilities, '
'restrict permissions for '
'untrusted users, and '
'enhance security controls '
'in multi-tenant '
'environments.',
'root_causes': 'Insecure handling of email '
'templates, SVG attachments, and '
'Basic HTTP authentication in '
'Webmin. Flaws in permission '
'delegation model.'},
'recommendations': 'Administrators should immediately upgrade to Webmin 2.641 '
'or later to mitigate risks. Review and restrict '
'permissions for untrusted users in multi-tenant '
'environments.',
'references': [{'source': 'Security researcher Wade Sparks'},
{'source': 'Andrea Carlo Maria Dattola, Marco Ventura, and '
'Massimiliano Brolli'}],
'response': {'containment_measures': 'Patch released (Webmin 2.641 and 2.640)',
'remediation_measures': 'Upgrade to Webmin 2.641 or later'},
'title': 'Critical Webmin Vulnerabilities Expose Root Access and Bypass 2FA',
'type': ['XSS',
'Privilege Escalation',
'2FA Bypass',
'Arbitrary File Overwrite'],
'vulnerability_exploited': ['CVE-2026-22678',
'CVE-2026-49102',
'CVE-2026-49103',
'CVE-2026-42210 / CVE-2026-56022']}