CVE-2006-2190

Exp

Cross-site scripting (XSS) vulnerability in ow-shared.pl in OpenWebMail (OWM) 2.51 and earlier allows remote attackers to inject arbitrary web script or HTML via the sessionid parameter in (1) openwebmail-send.pl, (2) openwebmail-advsearch.pl, (3) openwebmail-folder.pl, (4) openwebmail-prefs.pl, (5) openwebmail-abook.pl, (6) openwebmail-read.pl, (7) openwebmail-cal.pl, and (8) openwebmail-webdisk.pl. NOTE: the openwebmail-main.pl vector is already covered by CVE-2005-2863.

Published: 2006-05-04 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2006-2190 is rated High Exploit Risk (67.3/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.60%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2006-2190

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2006-2190

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 1.92% 1.60% -0.32%
2 2025-05-28 1.57% 1.92% +0.35%
3 2025-03-17 1.57%

Full EPSS history (10 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2006-2190

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
8.6 6.4 [email protected]

Weakness enumeration for CVE-2006-2190

NVD evaluator notes for CVE-2006-2190

Solution: This vulnerability is addressed in the following product release: Open WebMail, Open WebMail, 2.52

Affected software / configurations for CVE-2006-2190

Vendor Product Version Raw CPE
open_webmail open_webmail <= 2.51 cpe:2.3:a:open_webmail:open_webmail:*:*:*:*:*:*:*:*
open_webmail open_webmail 1.7 cpe:2.3:a:open_webmail:open_webmail:1.7:*:*:*:*:*:*:*
open_webmail open_webmail 1.8 cpe:2.3:a:open_webmail:open_webmail:1.8:*:*:*:*:*:*:*
open_webmail open_webmail 1.71 cpe:2.3:a:open_webmail:open_webmail:1.71:*:*:*:*:*:*:*
open_webmail open_webmail 1.81 cpe:2.3:a:open_webmail:open_webmail:1.81:*:*:*:*:*:*:*
open_webmail open_webmail 1.90 cpe:2.3:a:open_webmail:open_webmail:1.90:*:*:*:*:*:*:*
open_webmail open_webmail 2.00 cpe:2.3:a:open_webmail:open_webmail:2.00:*:*:*:*:*:*:*
open_webmail open_webmail 2.01 cpe:2.3:a:open_webmail:open_webmail:2.01:*:*:*:*:*:*:*
open_webmail open_webmail 2.10 cpe:2.3:a:open_webmail:open_webmail:2.10:*:*:*:*:*:*:*
open_webmail open_webmail 2.20 cpe:2.3:a:open_webmail:open_webmail:2.20:*:*:*:*:*:*:*
open_webmail open_webmail 2.21 cpe:2.3:a:open_webmail:open_webmail:2.21:*:*:*:*:*:*:*
open_webmail open_webmail 2.30 cpe:2.3:a:open_webmail:open_webmail:2.30:*:*:*:*:*:*:*
open_webmail open_webmail 2.31 cpe:2.3:a:open_webmail:open_webmail:2.31:*:*:*:*:*:*:*
open_webmail open_webmail 2.32 cpe:2.3:a:open_webmail:open_webmail:2.32:*:*:*:*:*:*:*
open_webmail open_webmail 2.40 cpe:2.3:a:open_webmail:open_webmail:2.40:*:*:*:*:*:*:*
open_webmail open_webmail 2.41 cpe:2.3:a:open_webmail:open_webmail:2.41:*:*:*:*:*:*:*
open_webmail open_webmail 2.50 cpe:2.3:a:open_webmail:open_webmail:2.50:*:*:*:*:*:*:*

References for CVE-2006-2190

cvelogic Threat Intelligence