CVE-2026-32851
MailEnable < 10.55 Reflected XSS via FreeBusy.aspx Attendees Parameter
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
| CWE | CWE-79 |
| Vendor | mailenable |
| Product | mailenable |
| Published | Mar 23, 2026 |
| Last Updated | Mar 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for mailenable mailenable
Be the first to know when new unknown vulnerabilities affecting mailenable mailenable are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
MailEnable / MailEnable
0 < 10.55
References
mailenable.com: https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055 karmainsecurity.com: https://karmainsecurity.com/KIS-2026-05 mailenable.com: https://mailenable.com/Standard-ReleaseNotes.txt mailenable.com: https://www.mailenable.com/ vulncheck.com: https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-attendees-parameter
Credits
Egidio Romano