CVE-2026-29962
Analyzed Analyzed - Analysis Complete
Local File Inclusion in HSC MailInspector v5.3.3-7

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: MITRE

Description
HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-29962
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hsclabs mailinspector 5.3.3-7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Local File Inclusion (LFI) issue in HSC MailInspector version 5.3.3-7. It occurs because the application does not properly control user-supplied file paths in the /vendor/phpunit/phpunit.php endpoint. An attacker can manipulate parameters to perform path traversal, allowing them to read arbitrary files on the server.

Impact Analysis

Exploiting this vulnerability can allow a remote attacker to access sensitive files on the server, potentially exposing confidential information stored in the operating system or application directories. This can lead to information disclosure and further compromise of the affected system.

Compliance Impact

The vulnerability in HSC MailInspector v5.3.3-7 allows remote attackers to read arbitrary files from the system, leading to sensitive information disclosure. Such unauthorized access to sensitive data can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and health-related information to prevent unauthorized disclosure.

Specifically, the Local File Inclusion (LFI) vulnerability can expose confidential files, potentially including personal data or protected health information, thereby violating confidentiality requirements and increasing the risk of data breaches under these standards.

Detection Guidance

This vulnerability can be detected by checking if the endpoint /vendor/phpunit/phpunit.php is accessible and processes user-controlled parameters that affect file access without proper validation.

One way to detect exploitation attempts is to monitor HTTP requests targeting the /vendor/phpunit/phpunit.php endpoint with path traversal patterns such as ../ or encoded equivalents.

You can use network monitoring tools or web server logs to identify suspicious requests.

  • Use curl or wget to test the endpoint for path traversal, for example: curl 'http://target/vendor/phpunit/phpunit.php?file=../../../../etc/passwd'
  • Search web server logs for requests containing ../ sequences targeting /vendor/phpunit/phpunit.php.
  • Use intrusion detection system (IDS) rules to alert on path traversal attempts on this endpoint.
Mitigation Strategies

Immediate mitigation steps include restricting or disabling access to the vulnerable endpoint /vendor/phpunit/phpunit.php.

Apply input validation and sanitization to user-supplied file path parameters to prevent path traversal.

If possible, update or patch HSC MailInspector to a version that fixes this vulnerability.

Implement web application firewall (WAF) rules to block requests containing path traversal patterns targeting this endpoint.

Limit file system permissions of the web server process to restrict access to sensitive files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart