Skip to main content

Mesalvo Meona EUVDEUVD-2026-31094

| CVE-2026-25602 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-05-20 ENISA GHSA-r47h-9xx2-mw53
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 11:47 vuln.today

DescriptionCVE.org

Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.

AnalysisAI

Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally authenticated low-privileged user to send email messages to arbitrary recipients. Both the Client Launcher Component through version 19.06.2020 15:11:49 and the Server Component through version 2025.04 5+323020 are affected per NVD CPE data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the integrity and information disclosure impact could enable internal email abuse or phishing pivots from a compromised endpoint.

Technical ContextAI

CWE-345 (Insufficient Verification of Data Authenticity) indicates the Meona application fails to enforce trust boundaries on message origination or recipient targeting within its email-sending functionality. The affected components - cpe:2.3:a:mesalvo:meona_client_launcher_component and cpe:2.3:a:mesalvo:meona_server_component - are part of a healthcare or facility management platform (based on Mesalvo's product domain), where internal notification or messaging features may be integrated. The lack of sender/recipient validation allows the local user context to be abused to inject arbitrary email destinations, bypassing expected application-level controls. The CVSS vector AV:L/AC:L/PR:L/UI:N indicates the exploitation path is fully local, requires no special configuration or user interaction, and operates under a standard low-privileged session.

RemediationAI

Upstream fix details are referenced via the seccore.at security research blog (https://seccore.at/blog/cves-meona/), but no exact patched version number has been independently confirmed from the available input data - patch version should be verified directly with Mesalvo or via their official advisory. Organizations running the Meona Client Launcher Component at or before 19.06.2020 15:11:49 or the Meona Server Component at or before 2025.04 5+323020 should contact Mesalvo for an updated release. As a compensating control pending a patch, restrict local login access to Meona systems to only explicitly authorized personnel, enforcing the principle of least privilege on accounts with access to the Meona client or server environment. Additionally, monitoring outbound SMTP traffic from Meona hosts for unexpected recipient domains can detect abuse of this weakness. Disabling any built-in email notification or messaging features within the application - if operationally feasible - would eliminate the attack surface entirely until a patch is applied.

Share

EUVD-2026-31094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy