Description
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Published: 2026-03-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client-side script execution
Action: Patch
AI Analysis

Impact

MailEnable versions earlier than 10.55 contain a reflected cross-site scripting vulnerability in the FreeBusy.aspx page. The flaw allows a remote attacker to construct a URL that injects arbitrary JavaScript into the StartDate parameter, which is echoed into client-side code without proper sanitization. When a user visits the crafted link, the malicious script runs in that user’s browser, enabling client-side attacks such as redirecting the user or manipulating the browsing context.

Affected Systems

This vulnerability impacts all MailEnable installations running any version prior to 10.55. The flaw is located in the webmail interface component FreeBusy.aspx and is not limited to specific product editions.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only a maliciously crafted URL; no authentication or local privileges are needed, making the attack vector remote client interaction.

Generated by OpenCVE AI on March 30, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MailEnable to version 10.55 or later to eliminate the reflected XSS flaw.
  • Confirm that the FreeBusy.aspx page no longer echoes the StartDate value before deploying the new version.
  • If an immediate update is unavailable, avoid accessing URLs that include the StartDate parameter and monitor for vendor patches.

Generated by OpenCVE AI on March 30, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mailenable
Mailenable mailenable
Vendors & Products Mailenable
Mailenable mailenable

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
Title MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate Parameter
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mailenable Mailenable
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T15:13:27.501Z

Reserved: 2026-03-16T18:11:41.759Z

Link: CVE-2026-32852

cve-icon Vulnrichment

Updated: 2026-03-24T14:01:07.302Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:27.197

Modified: 2026-03-30T14:29:09.667

Link: CVE-2026-32852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:13Z

Weaknesses