SurgeMail and WebMail are prone to a remote fomat-string vulnerability because the applications fail to properly sanitize user-supplied input begore including it in the format-specifier argument of a formatted-printing function. The risk is LOW. A remote attacker may execute arbitrary code with the privileges of the user running the affected applications. Failed exploit attempts will result in a denial of service.