Primary

Context

IceWarp Cross-Site Scripting Vulnerability via Email HTML Injection

Vulnerability

A cross-site scripting vulnerability has been identified in IceWarp version 11.0.0.0 and in all versions prior to 10.3.4. This vulnerability allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. When the email is viewed, the embedded scripts execute in the client, potentially compromising user sessions and stealing sensitive information.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's email client.

Reproduction

To reproduce this vulnerability, create an email in IceWarp 11.0.0.0 or any version prior to 10.3.4. Embed a base64-encoded payload containing a script into the email using object or embed tags. Once the email is received and viewed, the embedded script will execute, demonstrating the cross-site scripting vulnerability.

Added: Apr 22, 2026, 4:23 PM

Updated: Apr 22, 2026, 4:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

7.9

remediation

0.0

relevance

6.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

7.9

remediation

0.0

relevance

6.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

IceWarp Cross-Site Scripting Vulnerability via Email HTML Injection

Vulnerability

Impact

Reproduction

Affected Products

IceWarp

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating