CVE-2025-67738

Published: Dec 11, 2025

Modified: Dec 18, 2025

PUBLISHED

CVSS v3.1

8.5

HIGH

Description

squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the "cms" security option).

Vendor	Product	Versions
Webmin	Webmin	affected `0 - < 2.600`

Weaknesses (CWE)

CWE-78

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/webmin/webmin/commit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee

https://github.com/webmin/webmin/compare/2.520...2.600

https://webmin.com/security/#privilige-escalation-using-squid-module-cve-2025-67738

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-67738

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References