Use of hardcoded cryptographic key in BlowFish.cpp in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords used in database connections from hMailServer.ini config file.
https://github.com/mojibake-dev/mojibake-CVE/blob/main/hMailServer/CVE-2025-52373.md