Description
Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
Published: 2026-05-20
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mesalvo Meona components lack adequate verification of data authenticity, allowing an attacker to craft messages that appear to originate from any email address. This vulnerability, identified as CWE-345, can lead to phishing, unauthorized communication, and erosion of trust in the affected systems. The primary impact is the ability for malicious actors to send emails to any destination that seem legitimate, potentially compromising reputational or operational integrity.

Affected Systems

Mesalvo’s Meona Client Launcher Component through version 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020 are affected by this flaw, as specified by the vendor.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate severity, and the EPSS score is not available, providing no insight into current exploit likelihood. The vulnerability is not listed in the CISA KEV catalog. Attackers can potentially exploit the messaging interface of the components via a network connection, sending spoofed emails without needing elevated privileges on the targeted system.

Generated by OpenCVE AI on May 20, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Mesalvo Meona Client Launcher and Server component updates that address this verification issue.
  • If a patch is unavailable, restrict outbound email operations to pre‑approved addresses or implement additional validation on the mail server to reject spoofed senders.
  • Enable and enforce SPF, DKIM, and DMARC for your domain, and monitor email logs for abnormal sending patterns to detect and mitigate spoofed traffic.

Generated by OpenCVE AI on May 20, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://seccore.at/blog/cves-meona/ cve-icon cve-icon
History

Wed, 20 May 2026 12:45:00 +0000

Type Values Removed Values Added
Title Email Spoofing via Unverified Data in Mesalvo Meona Components

Wed, 20 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-05-20T12:00:29.697Z

Reserved: 2026-02-03T07:24:49.548Z

Link: CVE-2026-25602

cve-icon Vulnrichment

Updated: 2026-05-20T12:00:17.013Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T11:16:26.313

Modified: 2026-05-20T14:03:10.193

Link: CVE-2026-25602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T12:30:16Z

Weaknesses