Reflected XSS Vulnerability in MailEnable Email Software
CVE-2025-34400

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34400?

The MailEnable email software is affected by a reflected cross-site scripting vulnerability in the AddressesTo parameter of the AddressBook.aspx page. When a GET request is made, the AddressesTo value is not properly sanitized, allowing attackers to inject their own JavaScript. By crafting a malicious payload, an attacker could execute arbitrary JavaScript in the browser of a victim who is trying to send an email, potentially redirecting them to harmful sites or stealing sensitive cookies. This vulnerability underscores the importance of proper input sanitization in web applications.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.