Open Xchange
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Open Xchange product.
RSS Feeds for Open Xchange security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Open Xchange products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Open Xchange Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Open Xchange. Last year, in 2025 Open Xchange had 7 security vulnerabilities published. Right now, Open Xchange is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 7 | 6.09 |
| 2024 | 23 | 6.43 |
| 2023 | 47 | 5.70 |
| 2022 | 23 | 6.37 |
| 2021 | 37 | 6.02 |
| 2020 | 14 | 5.36 |
| 2019 | 14 | 6.28 |
| 2018 | 13 | 6.20 |
It may take a day or so for new Open Xchange vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Open Xchange Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-59026 | Nov 27, 2025 |
File Upload XSS: Malicious Content Triggers Script Execution in User ContextMalicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known |
Ox App Suite
|
| CVE-2025-59025 | Nov 27, 2025 |
Email XSS: Malicious Script Execution via Sanitization BypassMalicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known |
Ox App Suite
|
| CVE-2025-30190 | Nov 27, 2025 |
Office Doc Scripting Injection Vulnerability (CVE-2025-30190)Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known |
Ox App Suite
|
| CVE-2025-30186 | Nov 27, 2025 |
CVE-2025-30186: File Upload XSS Causing Script ExecutionMalicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known |
Ox App Suite
|
| CVE-2025-30189 | Oct 31, 2025 |
Linux PAM Passdb/Userdb Drivers Use Same Cache Key User HijackingWhen cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known. |
|
| CVE-2025-30191 | Oct 31, 2025 |
Unknown: EMail Redirection Attack via Malicious ContentMalicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known |
Ox App Suite
|
| CVE-2025-30188 | Oct 31, 2025 |
Unknown: API-induced Cache Eviction DoS via Unbounded Data AdditionMalicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are known |
Ox App Suite
|
| CVE-2024-23185 | Sep 10, 2024 |
Dovecot Message-Parser DoS via Large HeadersVery large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known. |
Ox Dovecot Pro
|
| CVE-2024-23184 | Sep 10, 2024 |
Dovecot DoS via Large Address Header ParsingHaving a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known. |
|
| CVE-2024-25582 | Aug 19, 2024 |
Remote Code Injection via Module Savepoints in Unknown Web CMSModule savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2024-4367 | May 14, 2024 |
PDF.js missing type check -> arbitrary JS exec in Firefox/TB <126/115A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. |
Open Xchange Appsuite Frontend
|
| CVE-2024-23186 | May 06, 2024 |
Apple Mail XSS via Malicious Email Display-Name (CVE-2024-23186)E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding displayname information to the web interface. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2024-23187 | May 06, 2024 |
Outlook CIDBased Email Script Injection via Show MoreContent-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2024-23193 | May 06, 2024 |
Cross-User PDF Cache Disclosure in E-Mails ExportE-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2024-23192 | Apr 08, 2024 |
RSS Feed data- Attribute Injection VulnerabilityRSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Potentially malicious attributes now get removed from external RSS content. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2024-23191 | Apr 08, 2024 |
Stored XSS via upsell ad content in user accountsUpsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2024-23190 | Apr 08, 2024 |
Upsell Component XSS: Manipulated Content Executes Script in BrowserUpsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2024-23189 | Apr 08, 2024 |
Jira XSS via Embedded Content in TasksEmbedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering attack to make users import external content. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Sanitization of user-generated content has been improved. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2023-41703 | Feb 12, 2024 |
CVE-2023-41703: Confluence XSS via Unescaped User MentionsUser ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avoid potentially malicious content. No publicly available exploits are known. |
Open Xchange Appsuite
Ox App Suite
|
| CVE-2023-41704 | Feb 12, 2024 |
Microsoft Outlook XSS via CID reference in EMail (CVE202341704)Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content. No publicly available exploits are known. |
Open Xchange Appsuite
Ox App Suite
|
| CVE-2023-41705 | Feb 12, 2024 |
OX App Suite: Unrestricted DAV User-Agent Strings Causing DoSProcessing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available exploits are known. |
Open Xchange Appsuite
Ox App Suite
|
| CVE-2023-41706 | Feb 12, 2024 |
DoS via Unbounded Drive Search Expressions in OX App SuiteProcessing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing of user-defined drive search expressions is not limited No publicly available exploits are known. |
Open Xchange Appsuite
Ox App Suite
|
| CVE-2023-41708 | Feb 12, 2024 |
CVE-2023-41708: App Loader redirect flaw enabling JS injectionReferences to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available exploits are known. |
Open Xchange Appsuite
Ox App Suite
|
| CVE-2023-41707 | Feb 12, 2024 |
DoS via Unlimited Mail Search Expressions in OX App SuiteProcessing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available exploits are known. |
Open Xchange Appsuite Frontend
Open Xchange Appsuite Backend
Open Xchange Office Web
And others... |
| CVE-2023-29051 | Jan 08, 2024 |
OX App Suite: OXMF Template Feature Exposes Limited Internal Java API AccessUser-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users and contexts. We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2023-29048 | Jan 08, 2024 |
OpenXchange OXMF Template Engine RCE via System Command InjectionA component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2023-29049 | Jan 08, 2024 |
XSS via 'upsell' widget on portal page for code executionThe "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2023-29050 | Jan 08, 2024 |
LDAP Filter Injection via LDAP Contacts Provider in Microsoft Skype for BusinessThe optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2023-29052 | Jan 08, 2024 |
XSS via Unsanitized Disclaimer Text in Upsell Shop DialogUsers were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2023-41710 | Jan 08, 2024 |
Shopify: Unsanitized user script injection via upsell URLUser-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known. |
Ox App Suite
|
| CVE-2023-26452 | Nov 02, 2023 |
SQLi in imageconverter ServiceRequests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-26453 | Nov 02, 2023 |
SQL Injection via Cached Image Requests in ImageConverter ServiceRequests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-26454 | Nov 02, 2023 |
ImageConverter Service: SQLi via Metadata FetchRequests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-26455 | Nov 02, 2023 |
Chronos RMI Service Auth Bypass in setEventOrganizerRMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-26456 | Nov 02, 2023 |
XSS via Unsanitized Product Name in OX Guard UIUsers were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known. |
Ox Guard
|
| CVE-2023-29043 | Nov 02, 2023 |
Microsoft PowerPoint: Image Ref XSS via Malicious ScriptsPresentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when performing certain actions, like copying content. The relevant attribute does now get encoded to avoid the possibility of executing script code. No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-29044 | Nov 02, 2023 |
Script Injection via Document Collaboration OpsDocuments operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now get escaped to avoid code execution. No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-29045 | Nov 02, 2023 |
Script injection via malformed drawing operations in collaborative docsDocuments operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now gets checked for validity to avoid code execution. No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-29046 | Nov 02, 2023 |
Microsoft Outlook AutoDiscover timeout leaks leading to network exhaustionConnections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-29047 | Nov 02, 2023 |
Imageconverter API SQLi: Unsanitized Input Allows Arbitrary SQL ExecutionImageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content which is accessible to the imageconverter SQL user account. None No publicly available exploits are known. |
Open Xchange Appsuite
|
| CVE-2023-26442 | Aug 02, 2023 |
Cacheservice SSRF via sproxyd HTTP RedirectsIn case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control of the sproxyd service) could perform a server-side request-forgery attack and make Cacheservice connect to unexpected resources. We have disabled the ability to follow HTTP redirects when connecting to sproxyd resources. No publicly available exploits are known. |
Open Xchange Appsuite Office
|
| CVE-2023-26449 | Aug 02, 2023 |
CVE-2023-26449 OX Chat Media-Type Mismatch Enables XSS & Session HijackThe "OX Chat" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known. |
Open Xchange Appsuite Frontend
|
| CVE-2023-26448 | Aug 02, 2023 |
Unsanitized Custom Log-In URL Allows XSS (CVE-2023-26448)Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content for those locations to avoid redirects to malicious content. No publicly available exploits are known. |
Open Xchange Appsuite Frontend
|
| CVE-2023-26451 | Aug 02, 2023 |
OAuth Auth Service Predictable Token FlawFunctions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be used to intercept and take over the client authorization process. As a result, other users accounts could be compromised. The oAuth Authorization Service is not enabled by default. We have updated the implementation to use sources with sufficient randomness to generate authorization tokens. No publicly available exploits are known. |
Open Xchange Appsuite Backend
|
| CVE-2023-26450 | Aug 02, 2023 |
Open-Xchange OX Count Missing Media-Type XSS & Session HijackThe "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known. |
Open Xchange Appsuite Frontend
|
| CVE-2023-26447 | Aug 02, 2023 |
CVE-2023-26447: XSS in Portal Upsell Widget via unescaped jslobThe "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content. No publicly available exploits are known. |
Open Xchange Appsuite Frontend
|
| CVE-2023-26446 | Aug 02, 2023 |
WordPress XSS via unsanitized clientID in Application PasswordsThe users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the user-controllable clientID parameter. No publicly available exploits are known. |
Open Xchange Appsuite Frontend
|
| CVE-2023-26445 | Aug 02, 2023 |
JSLOB Theme Exploit: XSS & Session Hijack via Frontend ThemesFrontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the theme value and use a default fallback if no theme matches. No publicly available exploits are known. |
Open Xchange Appsuite Frontend
|
| CVE-2023-26439 | Aug 02, 2023 |
CacheService API SQLi via Unsanitized ParametersThe cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known. |
Open Xchange Appsuite Office
|
| CVE-2023-26440 | Aug 02, 2023 |
SQLi via Cache Service API unsafe parameter handlingThe cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known. |
Open Xchange Appsuite Office
|