Reflected Cross-Site Scripting Vulnerability in MailEnable Software
CVE-2025-34407

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34407?

MailEnable versions prior to 10.54 exhibit a reflected XSS vulnerability within the theme parameter located in /Mondo/lang/sys/Forms/Statistics.aspx. An attacker can exploit this weakness by sending a specially crafted GET request that contains a malicious payload in the theme value. This payload manipulates the HTML response, breaking out of an existing iframe context to inject arbitrary JavaScript. As a result, when users click on the malicious link, they may inadvertently execute harmful scripts in their browser. This exploitation can lead to unauthorized actions being performed under the victim’s authenticated session, theft of cookies, and redirection to malicious websites.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.