CVE-2025-34403

UNKNOWN 0.0

MailEnable < 10.54 Reflected XSS in FieldTo Parameter of AddressBook.aspx

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldTo value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var fieldTo. By supplying a crafted payload that terminates the existing Finish() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.

CWE	CWE-79
Vendor	mailenable
Product	mailenable
Published	Dec 9, 2025
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for mailenable mailenable

Be the first to know when new unknown vulnerabilities affecting mailenable mailenable are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

MailEnable / MailEnable

0 < 10.54

References

NVD ↗ CVE.org ↗ EPSS Data ↗

mailenable.com: https://mailenable.com/Standard-ReleaseNotes.txt mailenable.com: https://www.mailenable.com/ vulncheck.com: https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-fieldto-parameter-of-addressbook-aspx

Credits

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)