CVE-2025-34402 MEDIUM

CVE-2025-34402: MailEnable < 10.54 Reflected XSS in FieldCc Parameter of AddressBook.aspx

Vendor Mailenable
Product MailEnable
Weakness CWE-79 · XSS
Published December 9, 2025
Last update May 14, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldCc value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var CCFieldProvided. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.

Key dates

02Disclosure timeline

December 9, 2025 CVE published
May 14, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-2517 Beaver Builder – WordPress Page Builder <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting via Caption - On Hover CVE-2025-15188 Campcodes Complete Online Beauty Parlor Management System search-invoices.php cross site scripting CVE-2026-6622 BichitroGan ISP Billing Software Customer edit cross site scripting CVE-2025-53581 WordPress RSS Feed Pro Plugin <= 1.1.8 - Cross Site Scripting (XSS) Vulnerability CVE-2025-48163 WordPress SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support <= 3.5.4 - Cross Site Scripting (XSS) Vulnerability