Reflected Cross-Site Scripting Vulnerability in MailEnable Email Server
CVE-2025-34397

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34397?

MailEnable versions before 10.54 are susceptible to a reflected cross-site scripting (XSS) vulnerability located in the Message parameter of /Mobile/Compose.aspx. The flaw arises from inadequate sanitization of the Message value during GET requests, which leads to potential execution of attacker-controlled JavaScript in the user's browser upon accessing a crafted reply URL. This exploitation can result in redirection to malicious websites, theft of non-HttpOnly cookies, injection of unwelcome HTML or CSS, and unauthorized actions performed as the authenticated user.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.