CVE-2025-34490 — XML External Entity (XXE) Injection in Mailessentials

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 67.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GFI Mailessentials

Timeline

PublishedApr 28

Description

GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5gfi/mailessentials< 21.8

▶NVDgfi/mailessentials< 21.8

🔴Vulnerability Details

CVEList

GFI MailEssentials < 21.8 XXE Arbitrary File Read↗2025-04-28

▶

GHSA

GHSA-2vcm-447j-6j4j: GFI MailEssentials prior to version 21↗2025-04-28

▶