CVE-2026-32851

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32851
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://karmainsecurity.com/KIS-2026-05 Exploit Third Party Advisory
https://mailenable.com/Standard-ReleaseNotes.txt Release Notes
https://www.mailenable.com/ Product
https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055 Release Notes
https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-startdate-parameter
Configurations

Configuration 1 (hide)

cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*
History

08 May 2026, 15:16

Type Values Removed Values Added
References
  • {'url': 'https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-attendees-parameter', 'tags': ['Third Party Advisory'], 'source': 'disclosure@vulncheck.com'}
  • () https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-startdate-parameter -
Summary (en) MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript. (en) MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.

30 Mar 2026, 14:30

Type Values Removed Values Added
Summary
  • (es) Las versiones de MailEnable anteriores a la 10.55 contienen una vulnerabilidad de cross-site scripting reflejado en la interfaz de webmail que permite a atacantes remotos ejecutar JavaScript arbitrario en el navegador de una víctima al crear una URL maliciosa. Los atacantes pueden inyectar código malicioso a través del parámetro Attendees en el formulario FreeBusy.aspx, que no se sanea correctamente antes de ser incrustado en JavaScript generado dinámicamente.
CPE cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*
First Time Mailenable mailenable
Mailenable
References () https://karmainsecurity.com/KIS-2026-05 - () https://karmainsecurity.com/KIS-2026-05 - Exploit, Third Party Advisory
References () https://mailenable.com/Standard-ReleaseNotes.txt - () https://mailenable.com/Standard-ReleaseNotes.txt - Release Notes
References () https://www.mailenable.com/ - () https://www.mailenable.com/ - Product
References () https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055 - () https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055 - Release Notes
References () https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-attendees-parameter - () https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-attendees-parameter - Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1

23 Mar 2026, 20:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-23 20:16

Updated : 2026-05-08 15:16

NVD link : CVE-2026-32851

Mitre link : CVE-2026-32851

CVE.ORG link : CVE-2026-32851

JSON object : View

Products Affected

mailenable

  • mailenable
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')