CVE-2026-29962
Local File Inclusion in HSC MailInspector v5.3.3-7
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hsclabs | mailinspector | 5.3.3-7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in HSC MailInspector v5.3.3-7 allows remote attackers to read arbitrary files from the system, leading to sensitive information disclosure. Such unauthorized access to sensitive data can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and health-related information to prevent unauthorized disclosure.
Specifically, the Local File Inclusion (LFI) vulnerability can expose confidential files, potentially including personal data or protected health information, thereby violating confidentiality requirements and increasing the risk of data breaches under these standards.
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in HSC MailInspector version 5.3.3-7. It occurs because the application does not properly control user-supplied file paths in the /vendor/phpunit/phpunit.php endpoint. An attacker can manipulate parameters to perform path traversal, allowing them to read arbitrary files on the server.
How can this vulnerability impact me? :
Exploiting this vulnerability can allow a remote attacker to access sensitive files on the server, potentially exposing confidential information stored in the operating system or application directories. This can lead to information disclosure and further compromise of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the endpoint /vendor/phpunit/phpunit.php is accessible and processes user-controlled parameters that affect file access without proper validation.
One way to detect exploitation attempts is to monitor HTTP requests targeting the /vendor/phpunit/phpunit.php endpoint with path traversal patterns such as ../ or encoded equivalents.
You can use network monitoring tools or web server logs to identify suspicious requests.
- Use curl or wget to test the endpoint for path traversal, for example: curl 'http://target/vendor/phpunit/phpunit.php?file=../../../../etc/passwd'
- Search web server logs for requests containing ../ sequences targeting /vendor/phpunit/phpunit.php.
- Use intrusion detection system (IDS) rules to alert on path traversal attempts on this endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling access to the vulnerable endpoint /vendor/phpunit/phpunit.php.
Apply input validation and sanitization to user-supplied file path parameters to prevent path traversal.
If possible, update or patch HSC MailInspector to a version that fixes this vulnerability.
Implement web application firewall (WAF) rules to block requests containing path traversal patterns targeting this endpoint.
Limit file system permissions of the web server process to restrict access to sensitive files.