CVE-2025-30349

HIGH EXPLOITED

Horde IMP < 6.2.27 - Cross-Site Scripting via Crafted Email onerror Attribute

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-30349 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including natasaka.

AI-analyzed exploit summary This PoC exploits an XSS vulnerability in Horde IMP by sending a crafted email with obfuscated HTML/JavaScript payloads. The payloads execute arbitrary JavaScript when the email is viewed in the Horde Web Client.

Description

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.

Exploits (1)

nomisec WORKING POC
by natasaka · client-side
https://github.com/natasaka/CVE-2025-30349

This PoC exploits an XSS vulnerability in Horde IMP by sending a crafted email with obfuscated HTML/JavaScript payloads. The payloads execute arbitrary JavaScript when the email is viewed in the Horde Web Client.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Horde 5.2.23; IMP 6.2.27
Auth required
Prerequisites: Access to an SMTP server · Valid credentials for the SMTP server · Target must view the email in Horde Web Client
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References

Scores

CVSS v3 7.2
EPSS 0.4981
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2025-03-21
CWE
CWE-79
Status published
Products (1)
Horde/IMP < 6.2.27
Published Mar 21, 2025
Tracked Since Feb 18, 2026