MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
References
| Link | Resource |
|---|---|
| https://karmainsecurity.com/KIS-2026-05 | Exploit Third Party Advisory |
| https://mailenable.com/Standard-ReleaseNotes.txt | Release Notes |
| https://www.mailenable.com/ | Product |
| https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055 | Release Notes |
| https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-attendees-parameter | Third Party Advisory |
Configurations
History
30 Mar 2026, 14:30
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://karmainsecurity.com/KIS-2026-05 - Exploit, Third Party Advisory | |
| References | () https://mailenable.com/Standard-ReleaseNotes.txt - Release Notes | |
| References | () https://www.mailenable.com/ - Product | |
| References | () https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055 - Release Notes | |
| References | () https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-attendees-parameter - Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
| First Time |
Mailenable
Mailenable mailenable |
|
| CPE | cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:* |
Information
Published : 2026-03-23 20:16
Updated : 2026-03-30 14:30
NVD link : CVE-2026-32851
Mitre link : CVE-2026-32851
CVE.ORG link : CVE-2026-32851
JSON object : View
Products Affected
mailenable
- mailenable
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')