What is CVE-2018-25223?

CVE-2018-25223 is a critical-severity vulnerability in Crashmail, classified under Out-of-bounds Write. CVSS score: 9.8/10. Published 2026-03-28.

How severe is CVE-2018-25223?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Buffer overflow in Crashmail

CVE-2018-25223

Crashmail 1.6 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending malicious input to the application. Attackers can craft payloads with ROP chains to achieve code execution…

Vulnerability class: Buffer Overflow

EPSS: 0.004 (61.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Crashmail — versions 1.6

Weakness classification (CWE)

CWE-787 — Out-of-bounds Write

References

ExploitDB-44331 (exploit)
Official Product Homepage (product)
Official Product Homepage (product)
VulnCheck Advisory: Crashmail 1.6 Stack-based Buffer Overflow Remote Code Execution (third-party-advisory)

Frequently asked questions

What is CVE-2018-25223?: CVE-2018-25223 is a critical-severity vulnerability in Crashmail, classified under Out-of-bounds Write. CVSS score: 9.8/10. Published 2026-03-28.
How severe is CVE-2018-25223?: Critical severity. CVSS v3 base score is 9.8 out of 10.