CVE-2026-32852 MEDIUM

CVE-2026-32852: MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate Parameter

Vendor Mailenable

Product MailEnable

Weakness CWE-79 · XSS

Published March 23, 2026

Last update May 8, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.

Key dates

02Disclosure timeline

March 23, 2026 CVE published

May 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32852

Related vulnerabilities

CVE-2026-32852: MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate Parameter

01Description

02Disclosure timeline

03References

04Related CVE