Sonicwall Email Security vulnerabilities
14 known vulnerabilities affecting sonicwall/email_security.
Total CVEs
14
CISA KEV
5
actively exploited
Public exploits
4
Exploited in wild
6
Severity breakdown
CRITICAL4HIGH2MEDIUM6LOW2
Vulnerabilities
Page 1 of 1
CVE-2021-44228P1CRITICALCVSS 10.0KEVPoCRansomwarefixed in 10.0.132021-12-10
CVE-2021-44228 [CRITICAL] CWE-20 CVE-2021-44228: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LD
nvd
CVE-2021-45046P1CRITICALCVSS 9.0KEVPoCRansomwarefixed in 10.0.122021-12-14
CVE-2021-45046 [CRITICAL] CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context M
nvd
CVE-2021-20021P1CRITICALCVSS 9.8KEVPoCRansomwarefixed in 10.0.9.6103v10.0.9 and earlier2021-04-09
CVE-2021-20021 [CRITICAL] CWE-269 CVE-2021-20021: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an adm
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
nvd
CVE-2021-20023P1MEDIUMCVSS 4.9KEVRansomwarefixed in 10.0.9.6173v10.0.9 and earlier2021-04-20
CVE-2021-20023 [MEDIUM] CWE-22 CVE-2021-20023: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.
nvd
CVE-2021-20022P1HIGHCVSS 7.2KEVRansomwarefixed in 10.0.9.6103v10.0.9 and earlier2021-04-09
CVE-2021-20022 [HIGH] CWE-434 CVE-2021-20022: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.
nvd
CVE-2021-45105P1MEDIUMCVSS 5.9ExploitedPoCRansomware≤ 10.0.122021-12-18
CVE-2021-45105 [MEDIUM] CWE-20 CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from u
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
nvd
CVE-2025-40604P2CRITICALCVSS 9.8v10.0.33.8195 and earlier versions2025-11-20
CVE-2025-40604 [CRITICAL] CWE-494 CVE-2025-40604: Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loa
Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.
nvd
CVE-2021-3450P3HIGHCVSS 7.4fixed in 10.0.112021-03-25
CVE-2021-3450 [HIGH] CWE-295 CVE-2021-3450: The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation
nvd
CVE-2025-40605P4MEDIUMCVSS 5.3v10.0.33.8195 and earlier versions2025-11-20
CVE-2025-40605 [MEDIUM] CWE-23 CVE-2025-40605: A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacke
A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacker to manipulate file system paths by injecting crafted directory-traversal sequences (such as ../) and may access files and directories outside the intended restricted path.
nvd
CVE-2024-22398P4MEDIUMCVSS 4.9v10.0.26.7807 and earlier versions2024-03-14
CVE-2024-22398 [MEDIUM] CWE-22 CVE-2024-22398: An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Son
An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system.
nvd
CVE-2023-0655P4MEDIUMCVSS 5.3≤ 10.0.19.74312023-02-14
CVE-2023-0655 [MEDIUM] CWE-209 CVE-2023-0655: SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacke
SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacker access to an error page that includes sensitive information about users email addresses.
nvd
CVE-2026-3468P4MEDIUMCVSS 4.8fixed in 10.0.35.8405v10.0.34.8215 and earlier versions+1 more2026-03-31
CVE-2026-3468 [MEDIUM] CWE-79 CVE-2026-3468: A stored Cross-Site Scripting (XSS) vulnerability has been identified in the SonicWall Email Securit
A stored Cross-Site Scripting (XSS) vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin user to potentially execute arbitrary JavaScript code.
nvd
CVE-2026-3470P4LOWCVSS 3.8fixed in 10.0.35.8405v10.0.34.8215 and earlier versions+1 more2026-03-31
CVE-2026-3470 [LOW] CWE-20 CVE-2026-3470: A vulnerability exists in the SonicWall Email Security appliance due to improper input sanitization
A vulnerability exists in the SonicWall Email Security appliance due to improper input sanitization that may lead to data corruption, allowing a remote authenticated attacker as admin user could exploit this issue by providing crafted input that corrupts application database.
nvd
CVE-2026-3469P4LOWCVSS 2.7fixed in 10.0.35.8405v10.0.34.8215 and earlier versions+1 more2026-03-31
CVE-2026-3469 [LOW] CWE-20 CVE-2026-3469: A denial-of-service (DoS) vulnerability exists due to improper input validation in the SonicWall Ema
A denial-of-service (DoS) vulnerability exists due to improper input validation in the SonicWall Email Security appliance, allowing a remote authenticated attacker as admin user to cause the application to become unresponsive.
nvd