Description
ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information.
Published: 2026-04-22
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side XSS allowing session hijacking and data theft
Action: Update Client
AI Analysis

Impact

The vulnerability arises from a cross‑site scripting flaw in the Icewarp Client that permits attackers to embed base64‑encoded payloads inside object and embed tags of an email. When a recipient opens the compromised message, the payload is executed by the client, enabling arbitrary script execution in the user’s browser context. The comic effect can compromise the viewing user’s session and expose sensitive data, as the injected script runs with the same privileges as the user. This flaw is listed as CWE‑79, a classic reflected XSS weakness.

Affected Systems

Icewarp Client is affected in the 10.3.4 and 11.0.0.0 releases. Both versions allow the described HTML injection when an email is rendered, so any user running those client versions that receives a malicious message is at risk. The issue is confined to the client software and does not affect the Icewarp mail server component directly.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity assessment. EPSS data is not available, so the likelihood of widespread exploitation remains undetermined from public metrics. The flaw is not listed in the CISA KEV catalog, suggesting no documented active exploitation at the time of the advisory. Attackers would need to deliver a crafted email containing the malicious payload, so the vulnerability is primarily remote and relies on user interaction. The absence of server‑side checks means a malicious sender can freely propagate the exploit via spam or phishing campaigns.

Generated by OpenCVE AI on April 22, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Icewarp Client to the latest patched version that removes the object/embed injection vector.
  • If an immediate upgrade is not possible, configure the client or corporate email gateway to strip or block object and embed tags as well as data URI schemes before rendering or delivery.
  • Implement email filtering rules that detect and sanitize base64‑encoded payloads or HTML content containing malformed attachment tags, and enforce stricter sandboxing for email rendering to prevent script execution.

Generated by OpenCVE AI on April 22, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information.
Title ICEWARP 11.0.0.0 Cross-Site Scripting via Email HTML Injection
First Time appeared Icewarp
Icewarp icewarp
Weaknesses CWE-79
CPEs cpe:2.3:a:icewarp:icewarp:10.3.4:*:*:*:*:*:*:*
cpe:2.3:a:icewarp:icewarp:11.0.0.0:*:*:*:*:*:*:*
Vendors & Products Icewarp
Icewarp icewarp
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Icewarp Icewarp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T15:48:35.082Z

Reserved: 2026-04-22T14:30:46.791Z

Link: CVE-2018-25269

cve-icon Vulnrichment

Updated: 2026-04-22T15:47:52.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T16:16:47.567

Modified: 2026-04-29T23:22:26.817

Link: CVE-2018-25269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses