Reflected Cross-Site Scripting Vulnerability in MailEnable Webmail Interface
CVE-2026-32850

5.1MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
23 March 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-32850?

A reflected cross-site scripting vulnerability exists in MailEnable's webmail interface, affecting versions prior to 10.55. This flaw allows attackers to execute arbitrary JavaScript code in the context of a victim's browser by crafting a malicious URL. The security issue arises from improper sanitization of the SelectedIndex parameter in the ManageShares.aspx form, which is embedded in dynamically generated JavaScript. Successful exploitation of this vulnerability could lead to unauthorized actions on behalf of the user, exposing sensitive information or potentially compromising user accounts.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MailEnable 0 < 10.55

References

https://www.mailenable.com/rss/article.asp?Source=RSSADMI...
vendor-advisorypatch
https://karmainsecurity.com/KIS-2026-05
technical-descriptionexploit
https://mailenable.com/Standard-ReleaseNotes.txt
release-notes

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Egidio Romano
JSON
.