Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81.
AnalysisAI
CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.
Technical ContextAI
Mail-0 Zero is an open-source email client/server solution that processes and renders email messages in a web interface. The vulnerability stems from CWE-1384 (Improper Neutralization of Noninput Request Data Before Storage or Transmission), which is a variant of improper input sanitization affecting email content handling. The root cause is inadequate HTML/JavaScript sanitization when parsing email messages before rendering them in the browser DOM. The email parsing/rendering pipeline fails to strip or escape dangerous HTML tags (such as <script>, event handlers like onclick, or other XSS vectors) from email bodies. When the email is displayed to an authenticated user via the web UI, the unsanitized content executes with the privileges of the user's authenticated session, allowing the attacker to steal session tokens, cookies, or perform actions on behalf of the victim. CPE identification would be: cpe:2.3:a:mail-0:zero:0.8:*:*:*:*:*:*:*
RemediationAI
Upgrade Mail-0 Zero from version 0.8 to version 0.81 or later; priority: IMMEDIATE; steps: ['Review Mail-0 Zero release notes and changelog for version 0.81+', 'Test patch in non-production environment', 'Deploy patch to all instances running version 0.8', 'Verify successful upgrade and test email rendering functionality'] Workaround (temporary, pre-patch): Disable or restrict web UI access until patch is applied; steps: ['Configure reverse proxy (nginx/Apache) to restrict access to web UI to trusted IPs only', 'Instruct users to use alternative email clients (IMAP/POP3) instead of web interface', 'Implement Content Security Policy (CSP) headers to restrict inline script execution (defense-in-depth)'] Detection and Monitoring: Monitor for exploitation attempts; steps: ['Review email message logs for suspicious JavaScript content in message bodies', 'Monitor session logs for anomalous authentication patterns (session reuse from unexpected IPs)', 'Implement WAF/IDS rules to detect XSS payloads in email headers/bodies']
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18797