Before 2021, there was CVE-2019-18463. This allowed an attacker to bypass authentication entirely via specially crafted IMAP commands. Although older, many legacy hMailServer installations (pre-5.6.8) remain vulnerable.

Since many exploits inject shell commands via email headers, a WAF (like ModSecurity) can block payloads containing $(, |, or & in SMTP commands.

The hMailServer project is maintained by a small team (primarily developer Martin Knafve). While they respond to CVEs quickly, the delay between a patch release and widespread admin adoption is where GitHub exploits flourish.

As of 2025, no critical RCE exploits exist for the latest 5.6.9+ branch—but that does not mean none will emerge tomorrow. The GitHub search "hmailserver exploit github" will continue to be a first-stop for attackers.