CVE-2025-40631

Summary

HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0. By modifying the Host header and adding a payload, arbitrary JavaScript code can be executed on page load. The user must interact with a malicious link to be redirected.

Affected Software

VendorProductVersion RangeStatus
IcewarpIcewarp Mail Server11.4.0affected

Weaknesses

  • CWE-644: CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References