Reflected Cross-Site Scripting in MailEnable Webmail Interface
CVE-2026-32851

5.1MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
23 March 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-32851?

MailEnable versions prior to 10.55 are vulnerable to a reflected cross-site scripting (XSS) issue in the webmail interface. This flaw enables remote attackers to execute arbitrary JavaScript in the victim's browser by crafting a malicious URL. The vulnerability arises from improper sanitization of the Attendees parameter within the FreeBusy.aspx form, allowing attackers to inject malicious code into dynamically generated JavaScript, potentially compromising user security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MailEnable 0 < 10.55

References

https://www.mailenable.com/rss/article.asp?Source=RSSADMI...
vendor-advisorypatch
https://karmainsecurity.com/KIS-2026-05
technical-descriptionexploit
https://mailenable.com/Standard-ReleaseNotes.txt
release-notes

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Egidio Romano
JSON
.