Skip to main content

Mailenable

11 CVEs product

Monthly

CVE-2026-32852 MEDIUM POC PATCH This Month

MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XSS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser without requiring authentication or special privileges. The vulnerability exists in the FreeBusy.aspx form where the StartDate parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to inject malicious code through a crafted URL. A public proof-of-concept exploit is available, and a patch has been released by the vendor, making this a moderate-to-high priority issue for organizations running affected versions.

XSS Mailenable
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-32851 MEDIUM POC PATCH This Month

MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser without requiring authentication or special privileges. The vulnerability exists in the FreeBusy.aspx form where the Attendees parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to craft malicious URLs that compromise user sessions and steal sensitive data. A public proof-of-concept exploit is available, increasing the practical risk to deployed MailEnable installations.

XSS Mailenable
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-32850 MEDIUM POC PATCH This Month

MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XSS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL targeting the ManageShares.aspx form. The SelectedIndex parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to inject and execute malicious code. A publicly available proof-of-concept exploit exists, and a patch has been released by the vendor.

XSS Mailenable
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-44148 CRITICAL POC THREAT Emergency

XSS in MailEnable before v10 via failure.aspx. EPSS 11.5%. PoC available.

RCE XSS Mailenable
NVD GitHub
CVSS 3.1
9.8
EPSS
11.5%
CVE-2019-12927 MEDIUM This Month

MailEnable Enterprise Premium 10.23 was vulnerable to stored and reflected cross-site scripting (XSS) attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mailenable
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2019-12926 HIGH This Week

MailEnable Enterprise Premium 10.23 did not use appropriate access control checks in a number of areas. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Mailenable
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2019-12925 HIGH This Week

MailEnable Enterprise Premium 10.23 was vulnerable to multiple directory traversal issues, with which authenticated users could add, remove, or potentially read files in arbitrary folders accessible. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Mailenable
NVD
CVSS 3.0
8.1
EPSS
1.8%
CVE-2019-12924 CRITICAL Act Now

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mailenable
NVD
CVSS 3.0
9.8
EPSS
0.9%
CVE-2019-12923 MEDIUM This Month

In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mailenable
NVD
CVSS 3.0
6.5
EPSS
0.6%
CVE-2012-2588 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Mailenable
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
0.4%
CVE-2012-0389 MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in ForgottenPassword.aspx in MailEnable Professional, Enterprise, and Premium 4.26 and earlier, 5.x before 5.53, and 6.x before 6.03 allows remote attackers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 33.8%.

XSS Mailenable
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
33.8%
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XSS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser without requiring authentication or special privileges. The vulnerability exists in the FreeBusy.aspx form where the StartDate parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to inject malicious code through a crafted URL. A public proof-of-concept exploit is available, and a patch has been released by the vendor, making this a moderate-to-high priority issue for organizations running affected versions.

XSS Mailenable
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser without requiring authentication or special privileges. The vulnerability exists in the FreeBusy.aspx form where the Attendees parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to craft malicious URLs that compromise user sessions and steal sensitive data. A public proof-of-concept exploit is available, increasing the practical risk to deployed MailEnable installations.

XSS Mailenable
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XSS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL targeting the ManageShares.aspx form. The SelectedIndex parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to inject and execute malicious code. A publicly available proof-of-concept exploit exists, and a patch has been released by the vendor.

XSS Mailenable
NVD VulDB
EPSS 11% CVSS 9.8
CRITICAL POC THREAT Emergency

XSS in MailEnable before v10 via failure.aspx. EPSS 11.5%. PoC available.

RCE XSS Mailenable
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

MailEnable Enterprise Premium 10.23 was vulnerable to stored and reflected cross-site scripting (XSS) attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mailenable
NVD
EPSS 1% CVSS 8.8
HIGH This Week

MailEnable Enterprise Premium 10.23 did not use appropriate access control checks in a number of areas. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Mailenable
NVD
EPSS 2% CVSS 8.1
HIGH This Week

MailEnable Enterprise Premium 10.23 was vulnerable to multiple directory traversal issues, with which authenticated users could add, remove, or potentially read files in arbitrary folders accessible. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Mailenable
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mailenable
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mailenable
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Mailenable
NVD Exploit-DB
EPSS 34% CVSS 4.3
MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in ForgottenPassword.aspx in MailEnable Professional, Enterprise, and Premium 4.26 and earlier, 5.x before 5.53, and 6.x before 6.03 allows remote attackers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 33.8%.

XSS Mailenable
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy