CVE-2025-34404 MEDIUM

CVE-2025-34404: MailEnable < 10.54 Reflected XSS in InstanceScope Parameter of CAL/compose.aspx

Vendor Mailenable
Product MailEnable
Weakness CWE-79 · XSS
Published December 9, 2025
Last update May 14, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var gInstanceScope. By supplying a crafted payload that terminates the existing PageLoad() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.

Key dates

02Disclosure timeline

December 9, 2025 CVE published
May 14, 2026 Record updated

Related vulnerabilities

04Related CVE