CVE-2026-29963

High

Published: 18 May 2026

Published

18 May 2026

Modified

19 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0005 15.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29963 is a high-severity Path Traversal (CWE-22) vulnerability in Hsclabs Mailinspector. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

NVD Description

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote…

attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-22

Affected Products

hsclabs

mailinspector

5.3.3-7

References

https://github.com/sql3t0/cve-disclosures
Third Party Advisory · cve@mitre.org
https://github.com/sql3t0/cve-disclosures/blob/main/02_-_CVE-2026-29963_LFI%2BPath_Traversal.md
Third Party Advisory · cve@mitre.org
https://hsclabs.com/pt-br/mailinspector/
Product · cve@mitre.org