Skip to main content

Meona Client Launcher Component

5 CVEs product

Monthly

CVE-2026-25602 MEDIUM This Month

Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally authenticated low-privileged user to send email messages to arbitrary recipients. Both the Client Launcher Component through version 19.06.2020 15:11:49 and the Server Component through version 2025.04 5+323020 are affected per NVD CPE data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the integrity and information disclosure impact could enable internal email abuse or phishing pivots from a compromised endpoint.

Information Disclosure Meona Client Launcher Component Meona Server Component
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0857 MEDIUM This Month

Cleartext storage of sensitive information in memory (CWE-316) affects both the Meona Client Launcher Component and the Meona Server Component from Mesalvo, exposing confidential data to local privileged attackers. The CVSS vector (AV:L/PR:H/S:C/C:H) indicates that a locally authenticated administrator can read sensitive material - likely credentials or session tokens - directly from process memory, with the changed scope suggesting this exposure can cascade to resources or components beyond the initially compromised process. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Information Disclosure Meona Client Launcher Component Meona Server Component
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-22315 HIGH This Week

Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users to abuse the built-in SQL editor to exfiltrate user records - including cleartext-stored passwords - from the application backend. The flaw affects Meona Client Launcher up to build dated 19.06.2020 15:11:49 and Meona Server Component up to 2025.04 5+323020. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Meona Client Launcher Component Meona Server Component
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-0856 HIGH This Week

Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user to gain access to the administrative panel due to improper access control enforcement. The flaw affects Meona Client Launcher Component through build 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020, and is tagged as an Authentication Bypass with no public exploit identified at time of analysis. The high CVSS score of 7.8 reflects full confidentiality, integrity, and availability impact once a normal user account is leveraged to escalate privileges.

Authentication Bypass Meona Client Launcher Component Meona Server Component
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-22314 CRITICAL Act Now

Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (through 2025.04 5+323020) allows an authenticated, low-privileged attacker to execute code on other users' systems via crafted input that crosses a scope boundary, with user interaction required on the victim side. CVSS 9.0 reflects the cross-user/cross-system impact (Scope:Changed) and full CIA compromise; no public exploit identified at time of analysis. The product is a clinical/healthcare workflow platform, so successful exploitation can pivot between hospital workstations and the server tier.

Code Injection RCE Meona Client Launcher Component Meona Server Component
NVD
CVSS 3.1
9.0
EPSS
0.0%
EPSS 0% CVSS 4.4
MEDIUM This Month

Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally authenticated low-privileged user to send email messages to arbitrary recipients. Both the Client Launcher Component through version 19.06.2020 15:11:49 and the Server Component through version 2025.04 5+323020 are affected per NVD CPE data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the integrity and information disclosure impact could enable internal email abuse or phishing pivots from a compromised endpoint.

Information Disclosure Meona Client Launcher Component Meona Server Component
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

Cleartext storage of sensitive information in memory (CWE-316) affects both the Meona Client Launcher Component and the Meona Server Component from Mesalvo, exposing confidential data to local privileged attackers. The CVSS vector (AV:L/PR:H/S:C/C:H) indicates that a locally authenticated administrator can read sensitive material - likely credentials or session tokens - directly from process memory, with the changed scope suggesting this exposure can cascade to resources or components beyond the initially compromised process. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Information Disclosure Meona Client Launcher Component Meona Server Component
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users to abuse the built-in SQL editor to exfiltrate user records - including cleartext-stored passwords - from the application backend. The flaw affects Meona Client Launcher up to build dated 19.06.2020 15:11:49 and Meona Server Component up to 2025.04 5+323020. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Meona Client Launcher Component Meona Server Component
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user to gain access to the administrative panel due to improper access control enforcement. The flaw affects Meona Client Launcher Component through build 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020, and is tagged as an Authentication Bypass with no public exploit identified at time of analysis. The high CVSS score of 7.8 reflects full confidentiality, integrity, and availability impact once a normal user account is leveraged to escalate privileges.

Authentication Bypass Meona Client Launcher Component Meona Server Component
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (through 2025.04 5+323020) allows an authenticated, low-privileged attacker to execute code on other users' systems via crafted input that crosses a scope boundary, with user interaction required on the victim side. CVSS 9.0 reflects the cross-user/cross-system impact (Scope:Changed) and full CIA compromise; no public exploit identified at time of analysis. The product is a clinical/healthcare workflow platform, so successful exploitation can pivot between hospital workstations and the server tier.

Code Injection RCE Meona Client Launcher Component +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy