CVE-2025-34409

UNKNOWN 0.0

MailEnable < 10.54 Reflected XSS in Failed Parameter of MAI/AddRecipientsResult.aspx

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Failed value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.

CWE	CWE-79
Vendor	mailenable
Product	mailenable
Published	Dec 9, 2025
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for mailenable mailenable

Be the first to know when new unknown vulnerabilities affecting mailenable mailenable are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

MailEnable / MailEnable

0 < 10.54

References

NVD ↗ CVE.org ↗ EPSS Data ↗

mailenable.com: https://mailenable.com/Standard-ReleaseNotes.txt mailenable.com: https://www.mailenable.com/ vulncheck.com: https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-failed-parameter-of-mai-addrecipientsresult-aspx

Credits

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)