IceWarp
IceWarp, Inc. is a software company located in Prague, Czech Republic. It develops IceWarp Mail Server, an email, messaging and collaboration service for small, medium and enterprise level businesses. IceWarp has offices in the United States, Germany, Russia, India, Dubai, and the Czech Republic. The company has been in business since 1998 and is used by over 50,000 businesses around the world. Its product is an alternative to Exchange Server, Office 365 or G Suite.
Products
8- 27 CVEs
- 26 CVEs
- 12 CVEs
- 9 CVEs
- 5 CVEs
- 4 CVEs
- 3 CVEs
- 1 CVE
Recent CVEs
76| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-14500 | Cri | 0.64 | 9.8 | 0.01 | Dec 23, 2025 | IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists… | ||
| CVE-2025-14499 | Hig | 0.57 | 8.8 | 0.01 | Dec 23, 2025 | IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious… | ||
| CVE-2015-1503 | Hig | 0.56 | 7.5 | 0.59 | May 8, 2018 | Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or… | ||
| CVE-2018-25269 | Med | 0.40 | 6.1 | 0.00 | Apr 22, 2026 | ICEWARP 10.3.4 and 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that… | ||
| CVE-2018-16324 | Med | 0.40 | 6.1 | 0.01 | Sep 1, 2018 | In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field. | ||
| CVE-2018-7475 | Med | 0.40 | 6.1 | 0.01 | Jun 30, 2018 | Cross-site scripting (XSS) vulnerability for webdav/ticket/ URIs in IceWarp Mail Server 12.0.3 allows remote attackers to inject arbitrary web script or HTML. | ||
| CVE-2017-7855 | Med | 0.40 | 6.1 | 0.02 | Aug 31, 2017 | In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" parameter. | ||
| CVE-2017-12844 | Med | 0.31 | 4.8 | 0.01 | Aug 23, 2017 | Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user name. | ||
| CVE-2019-12593 | 0.09 | — | 0.41 | Jun 3, 2019 | IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal. | |||
| CVE-2003-1192 | 0.09 | — | 0.69 | Nov 3, 2003 | Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request. | |||
| CVE-2020-8512 | 0.06 | — | 0.15 | Jan 31, 2020 | In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter. | |||
| CVE-2023-39598 | 0.05 | — | 0.01 | Sep 5, 2023 | Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter. | |||
| CVE-2026-2493 | 0.04 | — | 0.04 | Mar 13, 2026 | IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw… | |||
| CVE-2005-4557 | 0.04 | — | 0.09 | Dec 28, 2005 | dir/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, allows remote attackers to include arbitrary local files via a null byte (%00) in the lang parameter, possibly due to a directory traversal… | |||
| CVE-2005-4559 | 0.04 | — | 0.09 | Dec 28, 2005 | mail/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly initialize the default_layout and layout_settings variables when an unrecognized HTTP_USER_AGENT string is provided, which allows… | |||
| CVE-2005-4558 | 0.04 | — | 0.08 | Dec 28, 2005 | IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users… | |||
| CVE-2005-4556 | 0.04 | — | 0.10 | Dec 28, 2005 | PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, when register_globals is enabled, allows remote attackers to include arbitrary local and remote PHP files via a URL in the (1)… | |||
| CVE-2000-0507 | 0.04 | — | 0.07 | Jun 1, 2000 | Imate Webmail Server 2.5 allows remote attackers to cause a denial of service via a long HELO command. | |||
| CVE-2023-40779 | 0.03 | — | 0.01 | Sep 14, 2023 | An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL. | |||
| CVE-2012-2593 | 0.03 | — | 0.06 | Feb 6, 2020 | Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote attackers to inject arbitrary web script or HTML via the Date field of an email. |
- risk 0.64cvss 9.8epss 0.01
IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists…
- risk 0.57cvss 8.8epss 0.01
IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious…
- risk 0.56cvss 7.5epss 0.59
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or…
- risk 0.40cvss 6.1epss 0.00
ICEWARP 10.3.4 and 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that…
- risk 0.40cvss 6.1epss 0.01
In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability for webdav/ticket/ URIs in IceWarp Mail Server 12.0.3 allows remote attackers to inject arbitrary web script or HTML.
- risk 0.40cvss 6.1epss 0.02
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" parameter.
- risk 0.31cvss 4.8epss 0.01
Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user name.
- CVE-2019-12593Jun 3, 2019risk 0.09cvss —epss 0.41
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
- CVE-2003-1192Nov 3, 2003risk 0.09cvss —epss 0.69
Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request.
- CVE-2020-8512Jan 31, 2020risk 0.06cvss —epss 0.15
In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter.
- CVE-2023-39598Sep 5, 2023risk 0.05cvss —epss 0.01
Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.
- CVE-2026-2493Mar 13, 2026risk 0.04cvss —epss 0.04
IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw…
- CVE-2005-4557Dec 28, 2005risk 0.04cvss —epss 0.09
dir/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, allows remote attackers to include arbitrary local files via a null byte (%00) in the lang parameter, possibly due to a directory traversal…
- CVE-2005-4559Dec 28, 2005risk 0.04cvss —epss 0.09
mail/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly initialize the default_layout and layout_settings variables when an unrecognized HTTP_USER_AGENT string is provided, which allows…
- CVE-2005-4558Dec 28, 2005risk 0.04cvss —epss 0.08
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users…
- CVE-2005-4556Dec 28, 2005risk 0.04cvss —epss 0.10
PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, when register_globals is enabled, allows remote attackers to include arbitrary local and remote PHP files via a URL in the (1)…
- CVE-2000-0507Jun 1, 2000risk 0.04cvss —epss 0.07
Imate Webmail Server 2.5 allows remote attackers to cause a denial of service via a long HELO command.
- CVE-2023-40779Sep 14, 2023risk 0.03cvss —epss 0.01
An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.
- CVE-2012-2593Feb 6, 2020risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote attackers to inject arbitrary web script or HTML via the Date field of an email.