CVE-2026-29964
XSS Vulnerability in HSC MailInspector v5.3.3-7
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hsclabs | mailinspector | 5.3.3-7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /mailinspector/tap/tap.php endpoint for improper neutralization of user-supplied input containing alternate or obfuscated JavaScript syntax.
A common approach is to send crafted HTTP requests with payloads that include various forms of JavaScript code to see if the input is reflected unsanitized in the HTTP response.
For example, using curl or similar tools, you can send requests with payloads like <script>alert(1)</script> or obfuscated variants to the vulnerable endpoint and observe the response.
- curl -v 'http://[target]/mailinspector/tap/tap.php?input=<script>alert(1)</script>'
- curl -v 'http://[target]/mailinspector/tap/tap.php?input=%3Cscript%3Ealert(1)%3C/script%3E'
If the response contains the injected script without proper encoding or sanitization, the vulnerability is present.
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue found in HSC MailInspector version 5.3.3-7. It occurs in the /tap/tap.php endpoint where user input is not properly neutralized or sanitized. Specifically, the application fails to adequately encode output when reflecting user-controlled input, allowing attackers to inject and execute arbitrary JavaScript code in the victim's browser by using alternate or obfuscated JavaScript syntax.
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary JavaScript code within the context of a victim's browser. This can lead to various impacts such as theft of sensitive information (e.g., cookies, session tokens), unauthorized actions performed on behalf of the victim, and potential compromise of user accounts or data integrity.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying proper output encoding and input validation on the /mailinspector/tap/tap.php endpoint to neutralize alternate or obfuscated JavaScript syntax.
If a patch or update from the vendor is available, it should be applied promptly to fix the vulnerability.
As a temporary workaround, consider implementing web application firewall (WAF) rules to detect and block suspicious input patterns targeting this endpoint.
Additionally, restrict access to the vulnerable endpoint to trusted users or networks if possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary JavaScript in a victim's browser, which can lead to session token theft, session hijacking, content manipulation, phishing, and privilege escalation attacks.
Such impacts can compromise the confidentiality and integrity of user data, potentially leading to violations of data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Therefore, this vulnerability may negatively affect compliance with these standards by exposing user data to unauthorized access and manipulation.