Reflected Cross-Site Scripting Vulnerability in MailEnable by MailEnable
CVE-2025-34409

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34409?

MailEnable versions earlier than 10.54 are susceptible to a reflected cross-site scripting (XSS) vulnerability stemming from the Failed parameter in the /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx endpoint. This issue arises due to improper sanitization of the Failed value during a GET request, allowing an attacker to inject malicious scripts that can break out of existing markup. If exploited, this vulnerability can lead to script execution in a victim's browser when visiting a crafted link, enabling actions such as redirection to malicious sites, theft of non-HttpOnly cookies, and the unauthorized execution of actions as an authenticated user.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.