Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN682
_____________________________________________________________________

DATE                : 26/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running webmin versions prior
                           to 2.640.
 
=====================================================================
https://github.com/webmin/webmin/security/advisories/GHSA-qpww-fff2-6fgv
https://github.com/advisories/GHSA-6m8g-7xrr-8q5f
https://github.com/webmin/webmin/releases/tag/2.640
_____________________________________________________________________

Webmin 2FA requirement bypass
Moderate
webmin published GHSA-qpww-fff2-6fgv 

Package
Webmin

Affected versions
<2.630

Patched versions
2.640


Description

Impact

For Webmin accounts that require a second authentication factor
(typically TOTP), an attacker with knowledge of the username and
password can bypass the 2FA requirement by using Basic authentication.
Patches

Upgrade to Webmin 2.640 to receive a fix.



Workarounds

Apply patch da18a16

Severity
Moderate

CVE ID
CVE-2026-42210

Weaknesses
No CWEs

______________________________________________________________


Webmin before 2.640 does not safely construct a filename...
Critical severity Unreviewed Published on May 27 to the
GitHub Advisory Database

Package
No package listed— Suggest a package

Affected versions
Unknown

Patched versions
Unknown

Description

Webmin before 2.640 does not safely construct a filename for
saving of an attachment within the mailboxes component. This
occurs in mailboxes/detachall.cgi.

References

    https://nvd.nist.gov/vuln/detail/CVE-2026-49103
    webmin/webmin@cf43287
    webmin/webmin@2.630...2.640


Severity
Critical
9.4/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS score
0.303%(22nd percentile)

Weaknesses
Weakness CWE-24

CVE ID
CVE-2026-49103

GHSA ID
GHSA-6m8g-7xrr-8q5f

Source code
No known source code 
_____________________________________________________________________

2.640

    Add new nftables module with profiles, saved tables, and chains/sets management
    Add new Nginx module with look and feel matching the Apache module
    Add option to hide sensitive values (like passwords or tokens) from Webmin's request logs
    Add custom ACME server support for Webmin SSL renewal
    Add support for the latest MariaDB on Ubuntu 26.04
    Add multi-statement SQL query support when executing inline in MySQL/MariaDB module
    Add support for ext4 hidden inode quota mode
    Add used space and usage percentage reporting for ZFS in the dashboard
    Add mass enable and disable buttons for status monitors in the System and Server Status module
    Update tiny ACME client to the latest version
    Update DHCP default config for openSUSE 16 #2678
    Fix to prevent bypassing two-factor authentication in RPC requests
    Fix session cookies to use safer defaults
    Fix handling of connections coming through a reverse proxy
    Fix unsafe mailbox attachment handling in Mailbox module
    Fix unsafe decoding of Outlook winmail.dat attachments
    Fix Certbot standalone port conflicts
    Fix to correctly preserve full quoted action parameters in the Fail2Ban jail editor #2647
    Fix Fail2Ban default jail options to preserve required timing defaults when saving
    Fix ZFS to fall back to df when disk space cannot be computed from zpool
    Fix to allow toggling process priority and I/O controls on or off
    Fix issue where disabled email notifications were still being processed
    Update Authentic theme to the latest version with various improvements and fixes:
        Upgrade stats history graphs from laggy SVG to a blazing-fast canvas renderer
        Add option to control corner roundness for the menu, content area and right-side slider
        Change the content area to use rounded corners and a margin by default
        Fix message of the day display in login page correctly webmin#2555
        Fix tooltip visibility in dark palette
        Fix session login button spinner
        Fix various button styling issues (active state, tiny buttons, airy buttons, stack position)


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================