Webmin published two late-June hosting-panel updates that are worth scheduling on managed Linux servers: Webmin 2.650 with Usermin 2.550, followed by Webmin 2.651. The combined update is not just a cosmetic release. It includes new admin modules, proxy and account-control improvements, certificate handling fixes, File Manager hardening, and follow-up fixes for Certbot-backed certificates and Linux bond activation.
For hosting admins, the practical path is simple: back up the server, update Webmin and Usermin from the official source you already trust, restart the panel services, then verify the functions most likely to affect customer support: login, SSL renewal, File Manager work, package updates, web server modules, mail modules, and any network bond configuration.
What Changed In Webmin 2.650
Webmin 2.650 and Usermin 2.550 added several operational features that matter on real hosting boxes. Webmin lists new modules for systemd services and units, GRUB 2 boot management, and Kea DHCP Server. The release also adds WebSocket proxy support for the Webmin Servers Index module, basic Alpine Linux support, IP-based Let’s Encrypt certificate support with Certbot 5.3, editable SSH public keys for newly added Unix users, optional pre- and post-scripts for scheduled package updates, and RPC/API-only access controls for Webmin users.
The same release also carries security-relevant fixes. Webmin notes fixes for reflected XSS in status messages, authentication state handling for SSL certificate logins and proxied keep-alive requests, and path validation in File Manager, package delete helpers, and Apache virtual host handling. Those are the kinds of fixes that should be treated as panel-maintenance work, even if your server is not exposing every module to every administrator.
What Changed In Webmin 2.651
Webmin 2.651 is a smaller follow-up, but it is still useful for hosting operations. The release fixes Certbot-backed certificate requests and renewals so PEM paths are parsed correctly after issuance, fixes live activation of Linux bond interfaces, and updates the Authentic theme with File Manager search-result deletion fixes and cleanup improvements.
If your customers depend on Webmin for certificate requests, DNS, mail, package maintenance, or file operations, 2.651 is the safer target than stopping at 2.650.
Hosting Admin Checklist
- Back up first. Capture a restorable server snapshot or configuration backup before touching a production control panel.
- Update during a maintenance window. Treat the Webmin/Usermin update as control-plane maintenance, especially if customers or junior admins use the panel directly.
- Verify panel login. Check normal administrators, any reduced-permission panel users, and any RPC/API-only accounts after the update.
- Check certificates. Confirm existing certificates display correctly, then test the certificate renewal workflow in the panel without changing unrelated virtual hosts.
- Check File Manager workflows. Verify upload, delete, search-result cleanup, and quota-sensitive cases for a non-root administrative user.
- Review scheduled package updates. Confirm package-update email timing and any configured pre- or post-update scripts still match your maintenance policy.
- Test high-risk modules. Recheck Apache, Nginx, BIND, MariaDB/MySQL, PHP-FPM, Postfix, Dovecot, Fail2Ban, firewall, and user-management screens if they are enabled on the server.
- Check network bonds where used. Servers using Linux bonding should verify interface state and monitoring after the Webmin 2.651 update.
- Watch logs after rollout. Review panel, web server, mail, and system logs for authentication, certificate, module, or permission errors after the first admin session.
Who Should Prioritize This
Prioritize the update on servers where Webmin or Usermin is internet-accessible, where more than one administrator uses the panel, where File Manager is enabled, where certificate requests are handled through Webmin, or where Webmin manages production web, mail, DNS, firewall, database, or package-update tasks.
Lower-risk internal-only installations can still wait for a planned maintenance window, but the 2.650 security and validation fixes make this a better patch than a casual UI update.
Official Sources
Fix I.T. Phill is covering this as a defensive hosting-operations update. This article intentionally avoids exploit steps, request details, or scanner guidance.


