Platform
php
Component
mailinspector
Fixed in
5.3.3
CVE-2026-3610 describes a cross-site scripting (XSS) vulnerability discovered in HSC Cybersecurity Mailinspector versions 5.3.2-3 through 5.4.0. This flaw allows attackers to inject malicious scripts, potentially leading to session hijacking or defacement. The vulnerability resides within the /mailinspector/mliUserValidation.php file, specifically concerning the handling of the error_description argument. A fix is available in version 5.4.0.
Successful exploitation of CVE-2026-3610 enables an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including the theft of session cookies, redirection to phishing websites, and the modification of displayed content. The remote nature of the vulnerability means an attacker does not need local access to exploit it. Given the public availability of the exploit, the risk of immediate exploitation is elevated. The impact extends to any user interacting with Mailinspector within the affected version range.
CVE-2026-3610 is a publicly disclosed vulnerability with a known proof-of-concept. The exploit's public availability significantly increases the likelihood of exploitation. The CVSS score of 4.3 (Medium) reflects the potential impact and ease of exploitation. It was published on 2026-03-06. No KEV listing is currently available.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3610 is to upgrade Mailinspector to version 5.4.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and sanitization on the error_description parameter to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script (e.g., <script>alert('XSS')</script>) through the affected parameter and verifying that the script does not execute.
Update Mailinspector to version 5.4.0 or higher. This version contains the fix for the cross-site scripting (Cross-Site Scripting) vulnerability. If you cannot update immediately, contact the vendor for the hotfix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3610 is a cross-site scripting (XSS) vulnerability affecting Mailinspector versions 5.3.2-3 through 5.4.0, allowing attackers to inject malicious scripts.
You are affected if you are using Mailinspector versions 5.3.2-3 through 5.4.0. Upgrade to 5.4.0 to resolve the issue.
Upgrade Mailinspector to version 5.4.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
Due to the public availability of a proof-of-concept, CVE-2026-3610 is likely being actively exploited.
Refer to the vendor's advisory, which was provided promptly upon contact and details the fix implemented in version 5.4.0.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.