Reflected Cross-Site Scripting Vulnerability in MailEnable Email Software
CVE-2025-34401

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34401?

MailEnable versions prior to 10.54 have a vulnerability in the FieldBcc parameter of the Address Book management interface, which is susceptible to reflected cross-site scripting (XSS) attacks. The vulnerability arises from improper sanitization of user input in the FieldBcc value during GET requests. This flaw allows an attacker to inject malicious scripts that are executed in the context of the victim's browser, particularly during email composition. Successful attacks could redirect users to harmful sites, extract non-HttpOnly cookies, and inject arbitrary HTML or CSS, potentially allowing the attacker to perform actions on behalf of authenticated users.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.