Description
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Published: 2026-03-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript execution
Action: Patch
AI Analysis

Impact

MailEnable versions prior to 10.55 suffer from a reflected cross‑site scripting flaw in the webmail interface. The Attendees parameter in FreeBusy.aspx is inserted into JavaScript without proper sanitization, allowing an attacker to supply a URL that injects arbitrary JavaScript which executes in the victim’s browser. Successful exploitation lets the attacker run client‑side code, potentially stealing session cookies or performing other malicious actions.

Affected Systems

The vulnerability affects the MailEnable Standard Edition and any other MailEnable edition using the standard webmail interface in releases older than 10.55. The flaw is present in all affected builds that include the FreeBusy.aspx page.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, and the EPSS score of less than 1 % points to a low likelihood of exploitation. The issue is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting no widespread active exploitation yet. Attackers need only a publicly accessible webmail interface; no authentication or privileged access is required. The exploit is delivered client‑side via a crafted URL, making prevention rely on patching the server.

Generated by OpenCVE AI on March 30, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MailEnable patch by upgrading to version 10.55 or newer.
  • Verify that the Attendees parameter is no longer reflected in JavaScript output by testing the FreeBusy.aspx page after patching.
  • Regularly consult MailEnable’s website or release notes for updates and new security advisories.

Generated by OpenCVE AI on March 30, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mailenable
Mailenable mailenable
Vendors & Products Mailenable
Mailenable mailenable

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Title MailEnable < 10.55 Reflected XSS via FreeBusy.aspx Attendees Parameter
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mailenable Mailenable
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T19:46:36.029Z

Reserved: 2026-03-16T18:11:41.759Z

Link: CVE-2026-32851

cve-icon Vulnrichment

Updated: 2026-03-23T19:46:27.709Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:27.020

Modified: 2026-03-30T14:30:43.720

Link: CVE-2026-32851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:14Z

Weaknesses