Description
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the SelectedIndex parameter in the ManageShares.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Published: 2026-03-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client-side XSS
Action: Patch now
AI Analysis

Impact

MailEnable versions before 10.55 contain a reflected cross‑site scripting flaw in the webmail interface. A malicious value supplied to the SelectedIndex parameter of ManageShares.aspx can be injected into client‑side script. When a user opens the crafted URL, the browser executes the injected JavaScript, allowing client‑side attacks such as data exfiltration or UI manipulation. This weakness is an input‑validation failure identified by CWE‑79.

Affected Systems

The impacted product is the MailEnable mail server software. All installations running a version earlier than 10.55, regardless of platform or installation type, contain the unfiltered parameter in the standard webmail interface. Administrators should verify the exact version to determine if the system is vulnerable.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, while an EPSS score of less than 1% suggests low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a victim who can open a crafted URL that references the vulnerable page; no authentication or privileged context is needed. The risk therefore lies primarily with users accessing the webmail interface, who may have client‑side code executed in their browsers.

Generated by OpenCVE AI on March 30, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the MailEnable version in use; any build older than 10.55 is vulnerable.
  • Apply the official update to version 10.55 or later to remove the reflected‑XSS flaw.
  • After the update, test the ManageShares.aspx page with benign parameters to confirm that the vulnerability no longer exists and normal mail operations continue as expected.

Generated by OpenCVE AI on March 30, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mailenable
Mailenable mailenable
Vendors & Products Mailenable
Mailenable mailenable

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the SelectedIndex parameter in the ManageShares.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Title MailEnable < 10.55 Reflected XSS via ManageShares.aspx SelectedIndex Parameter
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mailenable Mailenable
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T14:21:43.953Z

Reserved: 2026-03-16T18:11:41.759Z

Link: CVE-2026-32850

cve-icon Vulnrichment

Updated: 2026-03-24T14:20:47.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:26.850

Modified: 2026-03-30T14:34:21.400

Link: CVE-2026-32850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:15Z

Weaknesses