MailEnable <= 10.54 Multiple Reflected Cross-Site Scripting Vulnerabilities

• Software Link:

https://www.mailenable.com

• Affected Versions:

Version 10.54 and prior versions.

• Vulnerabilities Description:

1) Vulnerable code in ManageShares.aspx

User input passed through the “SelectedIndex” GET parameter to the /Mondo/lang/sys/Forms/ManageShares.aspx page is not properly sanitized before being used to generate JavaScript code, allowing an attacker to break out of the existing function and inject arbitrary JavaScript. This can be exploited by attackers to perform Reflected Cross-Site Scripting (XSS) attacks.

Proof of Concept:

https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/ManageShares.aspx?SelectedIndex=%27;}alert(%27XSS%27);function%20x(){return%27

An attacker can use a crafted link like the one above to trick a victim user into issuing a request containing a malicious payload. The application reflects unsanitized input into JavaScript code, enabling execution of arbitrary script in the victim’s browser.

2) Vulnerable code in FreeBusy.aspx

User input passed through the “Attendees” GET parameter to the /Mondo/lang/sys/Forms/CAL/FreeBusy.aspx page is not properly sanitized before being used to generate JavaScript code, allowing an attacker to break out of the existing function and inject arbitrary JavaScript. This can be exploited by attackers to perform Reflected Cross-Site Scripting (XSS) attacks.

Proof of Concept:

https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/CAL/FreeBusy.aspx?Attendees=%27);}alert(%27XSS%27);function%20x(){return%20x(%27

An attacker can use a crafted link like the one above to trick a victim user into issuing a request containing a malicious payload. The application reflects unsanitized input into JavaScript code, enabling execution of arbitrary script in the victim’s browser.

3) Vulnerable code in FreeBusy.aspx

User input passed through the “StartDate” GET parameter to the /Mondo/lang/sys/Forms/CAL/FreeBusy.aspx page is not properly sanitized before being used to generate JavaScript code, allowing an attacker to break out of the existing function and inject arbitrary JavaScript. This can be exploited by attackers to perform Reflected Cross-Site Scripting (XSS) attacks.

Proof of Concept:

https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/CAL/FreeBusy.aspx?StartDate=%27);}alert(%27XSS%27);function%20x(){return%20x(%27

An attacker can use a crafted link like the one above to trick a victim user into issuing a request containing a malicious payload. The application reflects unsanitized input into JavaScript code, enabling execution of arbitrary script in the victim’s browser.

• Solution:

Upgrade to version 10.55 or later.

• Disclosure Timeline:

[24/02/2026] – Vendor notified

[02/03/2026] – Vendor released version 10.55, including fixes for these vulnerabilities

[02/03/2026] – CVE identifiers requested

[23/03/2026] – Public disclosure

[23/03/2026] – CVE identifiers assigned

• CVE Reference:

The following CVE identifiers have been assigned to these vulnerabilities:

• CVE-2026-32850 for vulnerability (1)
• CVE-2026-32851 for vulnerability (2)
• CVE-2026-32852 for vulnerability (3)

• Credits:

Vulnerabilities discovered by Egidio Romano.

• Other References:

https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055