GHSA-9848-6qgw-2748MediumCVSS 5.3

Webmin accepts basic authentication without session cookies when an attacker provides the 'User...

Published
June 18, 2026
Last Modified
June 18, 2026

🔗 CVE IDs covered (1)

📋 Description

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.

🔗 References (6)