Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.
CVE-2006-3392
- High exploitation likelihood — EPSS 78%
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- —
- EG Score
- 0.0(none)
- EPSS
- 99.5%
- KEV
- Not listed
Published
July 6, 2006
Last Modified
April 16, 2026
References (36)
- cve@mitrehttp://attrition.org/pipermail/vim/2006-July/000923.html
- cve@mitrehttp://attrition.org/pipermail/vim/2006-June/000912.html
- cve@mitrehttp://secunia.com/advisories/20892
- cve@mitrehttp://secunia.com/advisories/21105
- cve@mitrehttp://secunia.com/advisories/21365
- cve@mitrehttp://secunia.com/advisories/22556
- cve@mitrehttp://security.gentoo.org/glsa/glsa-200608-11.xml
- cve@mitrehttp://www.debian.org/security/2006/dsa-1199
- cve@mitrehttp://www.kb.cert.org/vuls/id/999601
- cve@mitrehttp://www.mandriva.com/security/advisories?name=MDKSA-2006:125
- cve@mitrehttp://www.osvdb.org/26772
- cve@mitrehttp://www.securityfocus.com/archive/1/439653/100/0/threaded
- cve@mitrehttp://www.securityfocus.com/archive/1/440125/100/0/threaded
- cve@mitrehttp://www.securityfocus.com/archive/1/440466/100/0/threaded
- cve@mitrehttp://www.securityfocus.com/archive/1/440493/100/0/threaded
Data Freshness Timeline
(refreshed 2× in last 7d / 12× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-13 22:25 UTCEPSS rescore
- 2026-07-11 08:22 UTCEPSS rescore
- 2026-07-02 14:00 UTCEPSS rescore
- 2026-07-01 15:01 UTCEPSS rescore
- 2026-06-25 13:46 UTCEPSS rescore
- 2026-06-23 21:29 UTCEPSS rescore
- 2026-06-23 21:29 UTCEPSS rescore
- 2026-06-17 17:49 UTCEPSS rescore
- 2026-06-17 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-15 17:44 UTCEPSS rescore
- 2026-06-13 22:56 UTCEPSS rescore
- 2026-06-12 23:08 UTCEPSS rescore
- 2026-06-11 13:55 UTCEPSS rescore
- 2026-06-10 22:14 UTCEPSS rescore
- 2026-06-10 13:17 UTCEPSS rescore
- 2026-06-07 15:21 UTCEPSS rescore
- 2026-06-06 13:44 UTCEPSS rescore
- 2026-06-06 13:44 UTCEPSS rescore
- 2026-06-05 22:43 UTCEPSS rescore
- 2026-06-05 06:07 UTCEPSS rescore
- 2026-06-05 06:07 UTCEPSS rescore
- 2026-06-04 13:09 UTCEPSS rescore
- 2026-06-04 13:09 UTCEPSS rescore
Show 21 moreShow fewer
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-06-01 13:49 UTCEPSS rescore
- 2026-06-01 13:49 UTCEPSS rescore
- 2026-06-01 13:49 UTCEPSS rescore
- 2026-05-31 07:49 UTCEG score recompute
- 2026-05-31 07:49 UTCGHSA enrichment
- 2026-05-31 00:13 UTCEPSS rescore
- 2026-05-31 00:13 UTCEPSS rescore
- 2026-05-31 00:13 UTCEPSS rescore
- 2026-05-29 13:40 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-21 22:38 UTCEPSS rescore
- 2026-05-20 22:36 UTCEPSS rescore
- 2026-05-20 22:36 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
Publicly available exploits
(6 references)Working exploit code is in the public domain (1 Metasploit module) (2 GitHub PoCs) (2 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Open source ↗GitHub PoCbrosck/CVE-2006-3392First seen Apr 4, 2023
- GitHub PoCIvanGlinkin/CVE-2006-3392First seen Dec 4, 2020
This small script helps to avoid using MetaSploit (msfconsole) during the Enterprise pentests and OSCP-like exams. Grep included function will help you to get only the important information.
Open source ↗ - Exploit-DBEDB-2017✓ verifiedFirst seen Jul 15, 2006
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
Open source ↗ - Exploit-DBEDB-1997✓ verifiedFirst seen Jul 9, 2006
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
Open source ↗ - Metasploitauxiliary/admin/webmin/file_disclosure✓ verifiedFirst seen Jun 30, 2006
Webmin File Disclosure
Open source ↗ - Nucleihttp/cves/2006/CVE-2006-3392.yamlFirst seen Jan 1, 2006
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
Open source ↗
Frequently asked(4)
What is CVE-2006-3392?
When was CVE-2006-3392 disclosed?
Is CVE-2006-3392 actively exploited?
How do I remediate CVE-2006-3392?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2006-3392
Is Your Infrastructure Affected by CVE-2006-3392?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.