threat
engine
.sh
Back
·
··:··
Home
/
Product
/
webmin
Product
webmin
114 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-61541
all versions
Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent t
7.1
HIGH
CVE-2015-2079
>= 0.980 and < 1.660
Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argumen
9.9
CRITICAL
CVE-2024-12828
all versions
Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary
8.8
HIGH
CVE-2024-44762
all versions
A discrepancy in error messages for invalid login attempts in Webmin Usermin v2.100 allows attackers to enumerate valid user accou
5.3
MEDIUM
CVE-2024-45692
< 2.202
Webmin before 2.202 and Virtualmin before 7.20.2 allow a network traffic loop via spoofed UDP packets on port 10000.
7.5
HIGH
CVE-2024-36453
< 1.970
Cross-site scripting vulnerability exists in session_login.cgi of Webmin versions prior to 1.970 and Usermin versions prior to 1.8
6.1
MEDIUM
CVE-2024-36452
< 2.003
Cross-site request forgery vulnerability exists in ajaxterm module of Webmin versions prior to 2.003. If this vulnerability is exp
3.1
LOW
CVE-2024-36451
< 2.003
Improper handling of insufficient permissions or privileges vulnerability exists in ajaxterm module of Webmin prior to 2.003. If t
8.8
HIGH
CVE-2024-36450
< 1.910
Cross-site scripting vulnerability exists in sysinfo.cgi of Webmin versions prior to 1.910. If this vulnerability is exploited, an
5.4
MEDIUM
CVE-2023-52046
<= 2.105
Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a cr
4.8
MEDIUM
CVE-2023-43309
<= 2.002
There is a stored cross-site scripting (XSS) vulnerability in Webmin 2.002 and below via the Cluster Cron Job tab Input field, whi
4.8
MEDIUM
CVE-2023-41157
all versions
Multiple stored cross-site scripting (XSS) vulnerabilities in Usermin 2.000 allow remote attackers to inject arbitrary web script
5.4
MEDIUM
CVE-2023-40983
all versions
A reflected cross-site scripting (XSS) vulnerability in the File Manager function of Webmin v2.100 allows attackers to execute mal
6.1
MEDIUM
CVE-2023-40982
all versions
A stored cross-site scripting (XSS) vulnerability in Webmin v2.100 allows attackers to execute arbitrary web scripts or HTML via a
5.4
MEDIUM
CVE-2023-40986
all versions
A stored cross-site scripting (XSS) vulnerability in the Usermin Configuration function of Webmin v2.100 allows attackers to execu
5.4
MEDIUM
CVE-2023-40985
all versions
An issue was discovered in Webmin 2.100. The File Manager functionality allows an attacker to exploit a Cross-Site Scripting (XSS)
5.4
MEDIUM
CVE-2023-40984
all versions
A reflected cross-site scripting (XSS) vulnerability in the File Manager function of Webmin v2.100 allows attackers to execute mal
5.4
MEDIUM
CVE-2023-41160
all versions
A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configuration tab in Usermin 2.001 allows remote attackers to inject
5.4
MEDIUM
CVE-2023-41159
all versions
A Stored Cross-Site Scripting (XSS) vulnerability while editing the autoreply file page in Usermin 2.000 allows remote attackers t
5.4
MEDIUM
CVE-2023-41156
all versions
A Stored Cross-Site Scripting (XSS) vulnerability in the filter and forward mail tab in Usermin 2.001 allows remote attackers to i
5.4
MEDIUM
CVE-2023-41162
all versions
A Reflected Cross-site scripting (XSS) vulnerability in the file manager tab in Usermin 2.000 allows remote attackers to inject ar
6.1
MEDIUM
CVE-2023-41158
all versions
A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type programs tab in Usermin 2.000 allows remote attackers to inject
5.4
MEDIUM
CVE-2023-41155
all versions
A Stored Cross-Site Scripting (XSS) vulnerability in the mail forwarding and replies tab in Webmin and Usermin 2.000 allows remote
5.4
MEDIUM
CVE-2023-41154
all versions
A Stored Cross-Site Scripting (XSS) vulnerability in the scheduled cron jobs tab in Usermin 2.000 allows remote attackers to injec
5.4
MEDIUM
CVE-2023-41152
all versions
A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type programs tab in Usermin 2.000 allows remote attackers to inject
5.4
MEDIUM
CVE-2023-41161
all versions
Multiple stored cross-site scripting (XSS) vulnerabilities in Usermin 2.000 allow remote attackers to inject arbitrary web script
5.4
MEDIUM
CVE-2023-41163
all versions
A Reflected Cross-site scripting (XSS) vulnerability in the file manager tab in Usermin 2.000 allows remote attackers to inject ar
6.1
MEDIUM
CVE-2023-41153
all versions
A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configuration tab in Usermin 2.001 allows remote attackers to inject
5.4
MEDIUM
CVE-2023-38311
all versions
An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the System Logs Viewe
5.4
MEDIUM
CVE-2023-38310
all versions
An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the configuration set
5.4
MEDIUM
CVE-2023-38309
all versions
An issue was discovered in Webmin 2.021. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the package search
6.1
MEDIUM
CVE-2023-38308
all versions
An issue was discovered in Webmin 2.021. A Cross-Site Scripting (XSS) vulnerability was discovered in the HTTP Tunnel functionalit
6.1
MEDIUM
CVE-2023-38307
all versions
An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups
5.4
MEDIUM
CVE-2023-38306
all versions
An issue was discovered in Webmin 2.021. A Cross-site Scripting (XSS) Bypass vulnerability was discovered in the file upload funct
6.1
MEDIUM
CVE-2023-38305
all versions
An issue was discovered in Webmin 2.021. The download functionality allows an attacker to exploit a Cross-Site Scripting (XSS) vul
6.1
MEDIUM
CVE-2023-38304
all versions
An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups
5.4
MEDIUM
CVE-2023-38303
all versions
An issue was discovered in Webmin 2.021. One can exploit a stored Cross-Site Scripting (XSS) attack to achieve Remote Command Exec
5.4
MEDIUM
CVE-2022-3844
all versions
A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm
3.5
LOW
CVE-2022-35132
<= 1.850
Usermin through 1.850 allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG mo
8.8
HIGH
CVE-2022-36880
all versions
The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message.
6.1
MEDIUM
CVE-2022-36446
< 1.997
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
9.8
CRITICAL
CVE-2022-30708
<= 1.991
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e.,
8.8
HIGH
CVE-2021-32162
all versions
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature.
8.8
HIGH
CVE-2021-32161
all versions
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature.
6.1
MEDIUM
CVE-2021-32160
all versions
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the Add Users feature.
6.1
MEDIUM
CVE-2021-32159
all versions
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature.
8.8
HIGH
CVE-2021-32158
all versions
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Upload and Download feature.
6.1
MEDIUM
CVE-2021-32157
all versions
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
9.6
CRITICAL
CVE-2021-32156
all versions
A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
8.8
HIGH
CVE-2022-0829
< 1.990
Improper Authorization in GitHub repository webmin/webmin prior to 1.990.
8.1
HIGH
CVE-2022-0824
< 1.990
Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
8.8
HIGH
CVE-2021-31762
all versions
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and
8.8
HIGH
CVE-2021-31761
all versions
Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running proc
9.6
CRITICAL
CVE-2021-31760
all versions
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running p
8.8
HIGH
CVE-2020-35769
all versions
miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program.
9.8
CRITICAL
CVE-2020-35606
<= 1.962
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbi
8.8
HIGH
CVE-2020-8821
<= 1.941
An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may ente
5.4
MEDIUM
CVE-2020-8820
<= 1.941
An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Pa
5.4
MEDIUM
CVE-2020-12670
<= 1.941
XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempt
6.1
MEDIUM
CVE-2019-15642
<= 1.920
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable
8.8
HIGH
CVE-2019-15641
<= 1.930
xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cg
6.5
MEDIUM
CVE-2019-15107
<= 1.920
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
9.8
CRITICAL
CVE-2019-12840
<= 1.910
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges v
8.8
HIGH
CVE-2018-19191
all versions
Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi history parameter, /shell/index.cgi?stripped=1, or the /webminlo
5.4
MEDIUM
CVE-2019-9624
all versions
Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" pri
7.8
HIGH
CVE-2018-8712
all versions
An issue was discovered in Webmin 1.840 and 1.880 when the default Yes setting of "Can view any file as a log file" is enabled. As
9.8
CRITICAL
CVE-2017-17089
<= 1.860
custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field
4.8
MEDIUM
CVE-2017-15646
<= 1.850
Webmin before 1.860 has XSS with resultant remote code execution. Under the 'Others/File Manager' menu, there is a 'Download from
6.1
MEDIUM
CVE-2017-15645
<= 1.850
CSRF exists in Webmin 1.850. By sending a GET request to at/create_job.cgi containing dir=/&cmd= in the URI, an attacker to execut
8.8
HIGH
CVE-2017-15644
<= 1.850
SSRF exists in Webmin 1.850 via the PATH_INFO to tunnel/link.cgi, as demonstrated by a GET request for tunnel/link.cgi/http://INTR
8.6
HIGH
CVE-2017-9313
<= 1.840
Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1.850 allow remote attackers to inject arbitrary web script o
6.1
MEDIUM
CVE-2017-2106
<= 1.820
Multiple cross-site scripting vulnerabilities in Webmin versions prior to 1.830 allows remote attackers to inject arbitrary web sc
6.1
MEDIUM
CVE-2016-4897
<= 1.680
Multiple cross-site scripting (XSS) vulnerabilities in (1) filter/save_forward.cgi, (2) filter/save.cgi, (3) /man/search.cgi in Us
6.1
MEDIUM
CVE-2015-1377
<= 1.720
The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file.
CVE-2014-3886
<= 1.680
Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when referrer checking is disabled, allows remote attackers to in
CVE-2014-3885
<= 1.680
Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows remote authenticated users to inject arbitrary web script o
CVE-2014-3884
<= 1.590
Cross-site scripting (XSS) vulnerability in Usermin before 1.600 allows remote attackers to inject arbitrary web script or HTML vi
CVE-2014-3883
<= 1.590
Usermin before 1.600 allows remote attackers to execute arbitrary operating-system commands via unspecified vectors related to a u
CVE-2014-3924
<= 1.680
Multiple cross-site scripting (XSS) vulnerabilities in Webmin before 1.690 and Usermin before 1.600 allow remote attackers to inje
CVE-2014-0339
<= 1.670
Cross-site scripting (XSS) vulnerability in view.cgi in Webmin before 1.680 allows remote attackers to inject arbitrary web script
CVE-2012-4893
<= 1.590
Multiple cross-site request forgery (CSRF) vulnerabilities in file/show.cgi in Webmin 1.590 and earlier allow remote attackers to
CVE-2012-2983
<= 1.590
file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents,
CVE-2012-2982
<= 1.590
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character
CVE-2012-2981
<= 1.590
Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the t
CVE-2011-1937
<= 1.540
Cross-site scripting (XSS) vulnerability in Webmin 1.540 and earlier allows local users to inject arbitrary web script or HTML via
CVE-2009-4568
<= 1.390
Cross-site scripting (XSS) vulnerability in Webmin before 1.500 and Usermin before 1.430 allows remote attackers to inject arbitra
CVE-2008-0720
all versions
Cross-site scripting (XSS) vulnerability in Webmin 1.370 and 1.390 and Usermin 1.300 and 1.320 allows remote attackers to inject a
CVE-2007-5066
<= 1.360
Unspecified vulnerability in Webmin before 1.370 on Windows allows remote authenticated users to execute arbitrary commands via a
CVE-2007-3156
<= 1.340
Multiple cross-site scripting (XSS) vulnerabilities in pam_login.cgi in Webmin before 1.350 and Usermin before 1.280 allow remote
CVE-2007-1276
all versions
Multiple cross-site scripting (XSS) vulnerabilities in chooser.cgi in Webmin before 1.330 and Usermin before 1.260 allow remote at
CVE-2006-4542
<= 1.2.90
Webmin before 1.296 and Usermin before 1.226 do not properly handle a URL with a null ("%00") character, which allows remote attac
CVE-2006-3392
<= 1.2.80
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers
CVE-2006-3274
<= 1.2.70
Directory traversal vulnerability in Webmin before 1.280, when run on Windows, allows remote attackers to read arbitrary files via
CVE-2005-3912
>= 1.100 and < 1.180
Format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging en
CVE-2005-3042
all versions
miniserv.pl in Webmin before 1.230 and Usermin before 1.160, when "full PAM conversations" is enabled, allows remote attackers to
CVE-2005-1177
all versions
Unknown vulnerability in (1) Webmin and (2) Usermin before 1.200 causes Webmin to change permissions and ownership of configuratio
CVE-2005-0427
all versions
The ebuild of Webmin before 1.170-r3 on Gentoo Linux includes the encrypted root password in the miniserv.users file when building
CVE-2004-1468
all versions
The web mail functionality in Usermin 1.x and Webmin 1.x allows remote attackers to execute arbitrary commands via shell metachara
CVE-2004-0559
all versions
The maketemp.pl script in Usermin 1.070 and 1.080 allows local users to overwrite arbitrary files at install time via a symlink at
CVE-2004-0583
all versions
The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows
CVE-2004-0582
all versions
Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access control rules and gain read access to configuration
CVE-2003-0101
all versions
miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and
CVE-2002-2360
all versions
The RPC module in Webmin 0.21 through 0.99, when installed without root or admin privileges, allows remote attackers to read and w
CVE-2002-2201
<= 0.99
The Printer Administration module for Webmin 0.990 and earlier allows remote attackers to execute arbitrary commands via shell met
CVE-2002-1947
all versions
Webmin 0.21 through 1.0 uses the same built-in SSL key for all installations, which allows remote attackers to eavesdrop or highja
CVE-2002-1673
all versions
The web interface for Webmin 0.92 does not properly quote or filter script code in files that are displayed to the interface, whic
CVE-2002-1672
all versions
Webmin 0.92, when installed from an RPM, creates /var/webmin with insecure permissions (world readable), which could allow local u
CVE-2002-0757
all versions
(1) Webmin 0.96 and (2) Usermin 0.90 with password timeouts enabled allow local and possibly remote attackers to bypass authentica
CVE-2002-0756
all versions
Cross-site scripting vulnerability in the authentication page for (1) Webmin 0.96 and (2) Usermin 0.90 allows remote attackers to
CVE-2001-1530
all versions
run.cgi in Webmin 0.80 and 0.88 creates temporary files with world-writable permissions, which allows local users to execute arbit
CVE-2001-1196
all versions
Directory traversal vulnerability in edit_action.cgi of Webmin Directory 0.91 allows attackers to gain privileges via a '..' (dot
CVE-2001-1074
all versions
Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION environment variable when the web server is restarted, whic
CVE-2001-0222
all versions
webmin 0.84 and earlier allows local users to overwrite and create arbitrary files via a symlink attack.
CVE-1999-1074
all versions
Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remot
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin