Vulnerability in Webmin

CVE-2026-49103

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.

EPSS: 0.001 (16.4th percentile) — read the EPSS interpretation.