Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins. For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party. Users are advised to update to version 11.16.0.
Conclusion & alert: CVE-2021-41083 is rated Moderate Risk (43/100): CVSS High severity, with low exploitation likelihood (EPSS 0.39%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.17% | 0.39% | +0.22% |
| 2 | 2025-11-21 | 0.14% | 0.17% | +0.04% |
| 3 | 2025-11-18 | — | 0.14% | — |
Full EPSS history (13 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.0 | 3.1 | HIGH |
|
2.1 | 5.9 | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| dadamailproject | dada_mail | < 11.16.0 | cpe:2.3:a:dadamailproject:dada_mail:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/justingit/dada-mail/commit/d4d3d86d08c816b4da75a5ef45abc12188772459 | Patch Third Party Advisory |
| https://github.com/justingit/dada-mail/security/advisories/GHSA-344m-p829-2r38 | Third Party Advisory |