A year-old dormant malicious remote code execution vulnerability was discovered in Webmin, a web-based interface for system administration for Unix, and has been present since at least July 2018 in versions 1.890 through 1.920. The vulnerability was introduced by a malicious third party who injected malicious code into the Sourceforge distribution point associated with the project. It was not responsibly disclosed to the maintainers, putting them under pressure to fix the problem quickly. Webmin users are strongly recommended to upgrade to version 1.930 as soon as possible, and those unable to upgrade can take steps to mitigate the vulnerability by editing a configuration file and running a restart command. The discovery of this vulnerability highlights the importance of keeping software up-to-date and being aware of potential security risks in open source dependencies.