Webmin and Virtualmin are common on self-managed hosting servers, VPS stacks, and small-provider control panels. If Webmin is exposed to administrators or delegated users, the May 2026 Webmin security fixes deserve attention even if the server is not a cPanel or Plesk machine.
The official Webmin security page lists several recent issues fixed around Webmin 2.640 and 2.641, including a two-factor authentication bypass path, mailbox attachment handling problems, and a stored XSS issue in the System and Server Status module. NVD also lists one of the mailbox issues as critical under CVSS 4.0. The practical recommendation is straightforward: update Webmin to 2.641 or later, then review delegated users, exposed access, mail module usage, and logs.
What changed
Webmin 2.640 and 2.641 include security-relevant fixes administrators should not ignore:
- Webmin before 2.641: stored XSS in the System and Server Status module, tracked as CVE-2026-22678.
- Webmin before 2.640: privilege escalation through the Help feature for untrusted Webmin users.
- Webmin before 2.640: SVG mail attachment XSS in the Read User Mail module, tracked as CVE-2026-49102.
- Webmin before 2.640: unsafe mailbox attachment filename handling, tracked as CVE-2026-49103.
- Webmin authentication hardening: a two-factor authentication bypass issue involving Basic HTTP authentication, listed by Webmin as CVE-2026-42210 and CVE-2026-56022.
NVD had records for CVE-2026-22678, CVE-2026-49102, CVE-2026-49103, and CVE-2026-56022 during this pass. CVE-2026-42210 was listed by Webmin but did not yet return an NVD record in this check. Use the Webmin security page as the primary source for the full cluster and NVD for CVSS detail where available.
Who should patch first
Patch Webmin promptly if any of these are true:
- Webmin is reachable from the internet, a customer VPN, or a broad admin network.
- You use Webmin or Virtualmin for delegated site, mail, DNS, or hosting administration.
- Additional non-root Webmin users exist.
- The Read User Mail, System and Server Status, or mailbox features are enabled.
- Two-factor authentication is enabled and you rely on it as a major control.
Even where the issue requires an authenticated user or user interaction, hosting servers are high-value targets. A delegated panel user, reused password, stale admin account, or exposed management interface can turn “medium” issues into real operational risk.
Backup and update plan
Before updating a production hosting server, take a recovery point that matches how the machine is hosted:
- For a VM: take a snapshot or provider backup and confirm recent file/database backups exist.
- For a bare-metal server: confirm current system backups and control-panel configuration backups.
- For Virtualmin: confirm virtual server backups, DNS zone backups, mail data backups, and database dumps.
- Record the current Webmin version, enabled modules, listening port, SSL certificate state, and trusted admin IPs.
Then update through the package manager or Webmin’s documented update path for your operating system. Debian and Ubuntu hosts commonly use the Webmin `.deb` package or Webmin repository path. RPM-based hosts commonly use the Webmin `.rpm` package or configured repository. Avoid random mirrors; use the official Webmin downloads and repositories.
After updating
After installing Webmin 2.641 or later, verify the operational state:
- Confirm Webmin reports version 2.641 or later.
- Confirm the Webmin service is running and listening only where intended.
- Confirm HTTPS works and the certificate is still valid.
- Log in with a normal admin account and confirm two-factor authentication behavior.
- Review Webmin users and remove stale delegated accounts.
- Review module permissions for non-root users.
- Check recent Webmin logs, system authentication logs, and mail-related logs for unusual access.
If the server is managed for clients, also test the workflows they use: website management, DNS edits, mailboxes, databases, scheduled backups, and any Virtualmin virtual server functions.
Exposure hardening
Do not rely on the Webmin update alone if the panel is broadly exposed. For hosting servers, apply a layered access model:
- Restrict Webmin to trusted admin IP ranges or VPN where possible.
- Keep two-factor authentication enabled for admin users.
- Disable or restrict modules that delegated users do not need.
- Separate day-to-day hosting tasks from root-level administration.
- Review reverse proxy and trusted proxy settings if Webmin sits behind a proxy.
- Document who has panel access and why they still need it.
For web hosts and agencies, customer communication should be simple: the hosting management panel is being updated for security, backups have been checked, and normal website/email service should continue unless a reboot or service restart is required.
Safe verification checklist
Use normal administrative checks only:
- Check the Webmin version from the UI or package manager.
- Check service status with your operating system’s service manager.
- Review logs for failed logins, unexpected admin sessions, and delegated-user activity.
- Confirm backup jobs still run after the update.
- Confirm mail and DNS tools still behave correctly if Webmin/Virtualmin manages them.
Do not run untrusted testing code against production Webmin. The point is to patch, reduce exposure, and verify the panel is healthy, not to test live exploitability.


