Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
AnalysisAI
Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally authenticated low-privileged user to send email messages to arbitrary recipients. Both the Client Launcher Component through version 19.06.2020 15:11:49 and the Server Component through version 2025.04 5+323020 are affected per NVD CPE data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the integrity and information disclosure impact could enable internal email abuse or phishing pivots from a compromised endpoint.
Technical ContextAI
CWE-345 (Insufficient Verification of Data Authenticity) indicates the Meona application fails to enforce trust boundaries on message origination or recipient targeting within its email-sending functionality. The affected components - cpe:2.3:a:mesalvo:meona_client_launcher_component and cpe:2.3:a:mesalvo:meona_server_component - are part of a healthcare or facility management platform (based on Mesalvo's product domain), where internal notification or messaging features may be integrated. The lack of sender/recipient validation allows the local user context to be abused to inject arbitrary email destinations, bypassing expected application-level controls. The CVSS vector AV:L/AC:L/PR:L/UI:N indicates the exploitation path is fully local, requires no special configuration or user interaction, and operates under a standard low-privileged session.
RemediationAI
Upstream fix details are referenced via the seccore.at security research blog (https://seccore.at/blog/cves-meona/), but no exact patched version number has been independently confirmed from the available input data - patch version should be verified directly with Mesalvo or via their official advisory. Organizations running the Meona Client Launcher Component at or before 19.06.2020 15:11:49 or the Meona Server Component at or before 2025.04 5+323020 should contact Mesalvo for an updated release. As a compensating control pending a patch, restrict local login access to Meona systems to only explicitly authorized personnel, enforcing the principle of least privilege on accounts with access to the Meona client or server environment. Additionally, monitoring outbound SMTP traffic from Meona hosts for unexpected recipient domains can detect abuse of this weakness. Disabling any built-in email notification or messaging features within the application - if operationally feasible - would eliminate the attack surface entirely until a patch is applied.
Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (thro
Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user t
Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users
Cleartext storage of sensitive information in memory (CWE-316) affects both the Meona Client Launcher Component and the
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31094
GHSA-r47h-9xx2-mw53