Icewarp vulnerabilities
9 known vulnerabilities affecting icewarp/icewarp.
Total CVEs
9
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2025-14500P2CRITICALCVSS 9.8v14.2.0.52025-12-23
CVE-2025-14500 [CRITICAL] CWE-78 CVE-2025-14500: IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability
IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the X-File-Operation header. The issue results fro
nvd
CVE-2026-2493P3HIGHCVSS 7.5v14.2.0.102026-03-16
CVE-2026-2493 [HIGH] CWE-22 CVE-2026-2493: IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability a
IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability.
The specific flaw exists within handling of the ticket parameter provided to the collaboration end
nvd
CVE-2023-39600P3MEDIUMCVSS 6.1PoCv11.4.6.02023-08-25
CVE-2023-39600 [MEDIUM] CWE-79 CVE-2023-39600: IceWarp 11.4.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the color
IceWarp 11.4.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.
nvd
CVE-2024-55218P3MEDIUMCVSS 6.1PoCv10.2.12025-01-07
CVE-2024-55218 [MEDIUM] CWE-79 CVE-2024-55218: IceWarp Server 10.2.1 is vulnerable to Cross Site Scripting (XSS) via the meta parameter.
IceWarp Server 10.2.1 is vulnerable to Cross Site Scripting (XSS) via the meta parameter.
nvd
CVE-2023-37728P3MEDIUMCVSS 6.1PoCv10.2.12023-07-20
CVE-2023-37728 [MEDIUM] CWE-79 CVE-2023-37728: IceWarp v10.2.1 was discovered to contain cross-site scripting (XSS) vulnerability via the color par
IceWarp v10.2.1 was discovered to contain cross-site scripting (XSS) vulnerability via the color parameter.
nvd
CVE-2025-14499P3HIGHCVSS 8.8v14.2.0.52025-12-23
CVE-2025-14499 [HIGH] CWE-79 CVE-2025-14499: IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows re
IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handlin
nvd
CVE-2024-0246P4MEDIUMCVSS 6.1v12.0.2.1v12.0.3.12024-01-05
CVE-2024-0246 [MEDIUM] CWE-79 CVE-2024-0246: A vulnerability classified as problematic has been found in IceWarp 12.0.2.1/12.0.3.1. This affects
A vulnerability classified as problematic has been found in IceWarp 12.0.2.1/12.0.3.1. This affects an unknown part of the file /install/ of the component Utility Download Handler. The manipulation of the argument lang with the input 1%27"()%26%25alert(document.domain) leads to cross site scripting. It is possible to initiate the attack remotely. The ex
nvd
CVE-2018-25269P4MEDIUMCVSS 6.1v11.0.0.02026-04-22
CVE-2018-25269 [MEDIUM] CWE-79 CVE-2018-25269: ICEWARP 10.3.4 and 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to i
ICEWARP 10.3.4 and 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessio
nvd
CVE-2023-41013P4MEDIUMCVSS 6.1v10.3.12023-09-12
CVE-2023-41013 [MEDIUM] CWE-79 CVE-2023-41013: Cross Site Scripting (XSS) in Webmail Calendar in IceWarp 10.3.1 allows remote attackers to inject a
Cross Site Scripting (XSS) in Webmail Calendar in IceWarp 10.3.1 allows remote attackers to inject arbitrary web script or HTML via the "p4" field.
nvd