The Webmin HTTP server (miniserv.pl) allows...
Critical severity
Unreviewed
Published
Jun 18, 2026
to the GitHub Advisory Database
•
Updated Jun 18, 2026
Description
Published by the National Vulnerability Database
Jun 18, 2026
Published to the GitHub Advisory Database
Jun 18, 2026
Last updated
Jun 18, 2026
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.
References