Cyber Resilience

CVE-2026-29962

High

Published: 18 May 2026

Published
18 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0037 28.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29962 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Hsclabs Mailinspector. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a…

more

remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

LFI via path traversal on public web endpoint directly enables remote exploitation of a public-facing app (T1190) and arbitrary local file reads for data collection (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29963Same product: Hsclabs Mailinspector
CVE-2026-8043Shared CWE-73
CVE-2026-5210Shared CWE-73
CVE-2026-29611Shared CWE-73
CVE-2026-43891Shared CWE-73
CVE-2026-33354Shared CWE-73
CVE-2025-53912Shared CWE-73
CVE-2026-48920Shared CWE-73
CVE-2025-65473Shared CWE-73
CVE-2026-33476Shared CWE-73

Affected Assets

hsclabs
mailinspector
5.3.3-7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

References