プラットフォーム
php
コンポーネント
mailinspector
修正版
5.3.3
CVE-2026-3610 describes a cross-site scripting (XSS) vulnerability discovered in HSC Cybersecurity Mailinspector versions 5.3.2-3 through 5.4.0. This flaw allows attackers to inject malicious scripts, potentially leading to session hijacking or defacement. The vulnerability resides within the /mailinspector/mliUserValidation.php file, specifically concerning the handling of the error_description argument. A fix is available in version 5.4.0.
Successful exploitation of CVE-2026-3610 enables an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including the theft of session cookies, redirection to phishing websites, and the modification of displayed content. The remote nature of the vulnerability means an attacker does not need local access to exploit it. Given the public availability of the exploit, the risk of immediate exploitation is elevated. The impact extends to any user interacting with Mailinspector within the affected version range.
CVE-2026-3610 is a publicly disclosed vulnerability with a known proof-of-concept. The exploit's public availability significantly increases the likelihood of exploitation. The CVSS score of 4.3 (Medium) reflects the potential impact and ease of exploitation. It was published on 2026-03-06. No KEV listing is currently available.
Organizations utilizing Mailinspector for email security and management, particularly those running versions 5.3.2-3 through 5.4.0, are at risk. Shared hosting environments where multiple users share the same Mailinspector instance are especially vulnerable, as an attacker could potentially compromise other users' sessions.
• generic web: Use curl to test the /mailinspector/mliUserValidation.php endpoint with a crafted payload containing <script>alert('XSS')</script> in the error_description parameter. Check the response for the alert box.
curl 'http://your-mailinspector-instance/mailinspector/mliUserValidation.php?error_description=<script>alert("XSS")</script>' -s• generic web: Examine access and error logs for requests to /mailinspector/mliUserValidation.php containing suspicious characters or script tags in the error_description parameter.
• php: Review the source code of /mailinspector/mliUserValidation.php for inadequate input sanitization of the error_description variable.
disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3610 is to upgrade Mailinspector to version 5.4.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and sanitization on the error_description parameter to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script (e.g., <script>alert('XSS')</script>) through the affected parameter and verifying that the script does not execute.
Mailinspector をバージョン 5.4.0 以降にアップデートしてください。このバージョンには、クロスサイトスクリプティングの脆弱性に対する修正が含まれています。直ちにアップデートできない場合は、ベンダーにホットフィックスの提供を依頼してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3610 is a cross-site scripting (XSS) vulnerability affecting Mailinspector versions 5.3.2-3 through 5.4.0, allowing attackers to inject malicious scripts.
You are affected if you are using Mailinspector versions 5.3.2-3 through 5.4.0. Upgrade to 5.4.0 to resolve the issue.
Upgrade Mailinspector to version 5.4.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
Due to the public availability of a proof-of-concept, CVE-2026-3610 is likely being actively exploited.
Refer to the vendor's advisory, which was provided promptly upon contact and details the fix implemented in version 5.4.0.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。