| Description | CVE | Affected Versions | Date |
|---|---|---|---|
| Race condition | CVE-2025-48880 | < 1.8.181 | 2025-05-15 |
| Stored XSS [8] | CVE-2025-48875 | < 1.8.180 | 2025-05-15 |
| Stored XSS [6] | CVE-2025-48488 | < 1.8.180 | 2025-05-15 |
| Stored XSS [4] | CVE-2025-48488 | < 1.8.180 | 2025-05-15 |
| Stored XSS [4] | CVE-2025-48486 | < 1.8.180 | 2025-05-15 |
| Stored XSS [7] | CVE-2025-48489 | < 1.8.180 | 2025-05-15 |
| Stored XSS [6] | CVE-2025-48488 | < 1.8.180 | 2025-05-15 |
| Stored XSS [5] | CVE-2025-48487 | < 1.8.180 | 2025-05-15 |
| Stored XSS [4] | CVE-2025-48486 | < 1.8.180 | 2025-05-15 |
| Stored XSS [3] | CVE-2025-48485 | < 1.8.180 | 2025-05-15 |
| Stored XSS [2] | CVE-2025-48484 | < 1.8.178 | 2025-05-15 |
| Stored XSS leads to CSRF [1] | CVE-2025-48483 | < 1.8.180 | 2025-05-14 |
| Business Logic Errors [7] | CVE-2025-48482 | < 1.8.180 | 2025-05-14 |
| Business Logic Errors [6] | CVE-2025-48481 | < 1.8.180 | 2025-05-14 |
| Business Logic Errors [4] | CVE-2025-48479 | < 1.8.180 | 2025-05-14 |
| Business Logic Errors [5] | CVE-2025-48480 | < 1.8.180 | 2025-05-14 |
| Business Logic Errors [3] | CVE-2025-48478 | < 1.8.180 | 2025-05-14 |
| Business Logic Errors [2] | CVE-2025-48477 | < 1.8.180 | 2025-05-14 |
| Business Logic Errors [1] | CVE-2025-48474 | < 1.8.180 | 2025-05-14 |
| Insufficient authorization [3] | CVE-2025-48474 | < 1.8.180 | 2025-05-14 |
| Insufficient authorization [4] | CVE-2025-48475 | < 1.8.179 | 2025-05-14 |
| Insufficient authorization [1] | CVE-2025-48473 | < 1.8.179 | 2025-05-14 |
| Insufficient authorization [1] | CVE-2025-48472 | < 1.8.179 | 2025-05-14 |
| Arbitrary file upload | CVE-2025-48471 | < 1.8.179 | 2025-05-14 |
| Remote Code Execution (RCE) | CVE-2025-48390 | < 1.8.178 | 2025-05-14 |
| Deserialization of untrusted data | CVE-2025-48389 | < 1.8.178 | 2025-05-14 |
| Insufficient Protection Against CRLF-injection | CVE-2025-48388 | < 1.8.178 | 2025-05-14 |
| Prototype Pollution in getQueryParam Function (URL Query Parser) | CVE-2024-34698 | < 1.8.139 | 2024-05-03 |
| Stored HTML Injection in Editing Received Emails | CVE-2024-34697 | < 1.8.139 | 2024-05-02 |
| Stored XSS to Privilege Escalation After CSP Bypass | CVE-2024-29184 | < 1.8.128 | 2024-03-15 |
| OS Command Injection | CVE-2024-29185 | < 1.8.128 | 2024-03-15 |
| SMTP Mail Credentials Disclosed in Error Log | CVE-2024-28186 | < 1.8.124 | 2024-03-04 |
| Unrestricted File Upload Led to Cross-Site Scripting | CVE-2024-1932 | < 1.8.101 | 2024-02-28 |