QwikSec

Security Database

CVE

CWE

Training

CVE-2026-32852

Published: Mar 23, 2026

Modified: May 8, 2026

PUBLISHED

Description

MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.

Vendor	Product	Versions
MailEnable	MailEnable	affected `0 - < 10.55.0`

Weaknesses (CWE)

References

https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055

vendor-advisory

patch

https://karmainsecurity.com/KIS-2026-05

technical-description

exploit

https://mailenable.com/Standard-ReleaseNotes.txt

release-notes

https://www.mailenable.com/

product

https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-startdate-parameter

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.