Medium severity6.1NVD Advisory· Published Apr 22, 2026· Updated Apr 29, 2026

CVE-2018-25269

Description

ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information.

Affected products

IceWarp/Icewarp
cpe:2.3:a:icewarp:icewarp:11.0.0.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/45974nvdExploitVDB Entry
www.vulncheck.com/advisories/icewarp-cross-site-scripting-via-email-html-injectionnvdThird Party Advisory
www.icewarp.comnvdProduct

News mentions

ZDI-26-130: IceWarp collaboration Directory Traversal Information Disclosure Vulnerability
Zero Day Initiative · Feb 25, 2026

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000