Description
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Published: 2026-03-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MailEnable versions prior to 10.55 contain a reflected cross‑site scripting flaw in the webmail interface. The StartDate parameter in FreeBusy.aspx is inserted into dynamically generated JavaScript without proper sanitization, enabling an attacker to craft a malicious URL that injects arbitrary JavaScript which runs in the victim’s browser. Successful exploitation lets the attacker execute client‑side code, potentially stealing session cookies or performing other malicious actions.

Affected Systems

The vulnerability affects the MailEnable Standard Edition and any other MailEnable edition using the standard webmail interface in releases older than 10.55. The flaw is present in all affected builds that include the FreeBusy.aspx page.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, and the EPSS score of less than 1 % points to a low likelihood of exploitation. The issue is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting no widespread active exploitation yet. Based on the description, it is inferred that attackers need only a publicly accessible webmail interface; no authentication or privileged access is required. The exploit is delivered client‑side via a crafted URL, making prevention rely on patching the server.

Generated by OpenCVE AI on May 8, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MailEnable to version 10.55 or newer.
  • Restrict access to the FreeBusy.aspx page by applying web server firewall rules or authentication to limit exposure.
  • Regularly consult MailEnable’s website or release notes for new security advisories.

Generated by OpenCVE AI on May 8, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 15:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript. MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Title MailEnable < 10.55 Reflected XSS via FreeBusy.aspx Attendees Parameter MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate Parameter
References

Mon, 30 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mailenable
Mailenable mailenable
Vendors & Products Mailenable
Mailenable mailenable

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Title MailEnable < 10.55 Reflected XSS via FreeBusy.aspx Attendees Parameter
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mailenable Mailenable
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-08T14:00:31.931Z

Reserved: 2026-03-16T18:11:41.759Z

Link: CVE-2026-32851

cve-icon Vulnrichment

Updated: 2026-03-23T19:46:27.709Z

cve-icon NVD

Status : Modified

Published: 2026-03-23T20:16:27.020

Modified: 2026-05-08T15:16:36.230

Link: CVE-2026-32851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:30:16Z

Weaknesses