Not a traditional CVE but a logic flaw in how HmailServer handles SMTP MAIL FROM and RCPT TO headers. Several GitHub scripts automate open-relay testing and spoofed email sending.
The exploit is publicly available on GitHub, which has raised concerns among administrators and security professionals. The exploit provides a proof-of-concept (PoC) that demonstrates how to exploit the vulnerability. hmailserver exploit github
Initial administrator passwords in some versions were obfuscated with insecure hashes during installation. Historical and Auxiliary Exploits PHPWebAdmin File Inclusion Not a traditional CVE but a logic flaw
This allows local attackers to decrypt passwords for other servers stored in the hMailAdmin.exe.config hmailserver exploit github