CVE-2018-25269
published 2026-04-22CVE-2018-25269: ICEWARP 10.3.4 and 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.23%
13.7th percentile
ICEWARP 10.3.4 and 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icewarp | icewarp | — | — |
| icewarp | icewarp_client | — | — |
| icewarp | icewarp_client | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Icewarp Client 10.3.4/11.0.0.0 HTML Element HTML injection (Exploit 45974)
vuldb·2026-04-22·CVSS 5.1
CVE-2018-25269 [MEDIUM] Icewarp Client 10.3.4/11.0.0.0 HTML Element HTML injection (Exploit 45974)
A vulnerability has been found in Icewarp Client 10.3.4/11.0.0.0 and classified as problematic. This vulnerability affects unknown code of the component HTML Element Handler. Performing a manipulation results in HTML injection.
This vulnerability is reported as CVE-2018-25269. The attack is possible to be carried out remotely. Moreover, an exploit is present.
GHSA
GHSA-xx24-qg5f-3r29: ICEWARP 11
ghsa_unreviewed·2026-04-22
CVE-2018-25269 [MEDIUM] CWE-79 GHSA-xx24-qg5f-3r29: ICEWARP 11
ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-22
Published