CVE-2026-29962
published 2026-05-18CVE-2026-29962: HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.37%
29.0th percentile
HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hsclabs | mailinspector | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
HSC Mailinspector 5.3.3-7 Endpoint phpunit.php path traversal
vuldb·2026-05-18
CVE-2026-29962 [CRITICAL] HSC Mailinspector 5.3.3-7 Endpoint phpunit.php path traversal
A vulnerability marked as critical has been reported in HSC Mailinspector 5.3.3-7. This affects an unknown part of the file /vendor/phpunit/phpunit.php of the component Endpoint. The manipulation leads to path traversal.
This vulnerability is uniquely identified as CVE-2026-29962. The attack is possible to be carried out remotely. No exploit exists.
GHSA
GHSA-gx62-92q7-r437: HSC MailInspector v5
ghsa_unreviewed·2026-05-18
CVE-2026-29962 [HIGH] CWE-73 GHSA-gx62-92q7-r437: HSC MailInspector v5
HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-18
Published