cbcvebase.
CVE-2025-44148
published 2025-06-03

CVE-2025-44148: Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
54.41%
98.9th percentile
Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component

Affected

1 ranges
VendorProductVersion rangeFixed in
mailenablemailenable< 10.0010.00

Detection & IOCsextracted from sources · hover to see the quote

url/Mondo/lang/sys/Failure.aspx?state=19753%22;}alert(document.domain);function%20test(){%22
path/Mondo/lang/sys/Failure.aspx
  • Look for XSS payload in the `state` parameter of Failure.aspx in HTTP requests; the injected payload breaks out of a JavaScript string context using `";}` followed by arbitrary JS.
  • Response body will reflect the unencoded payload string `}alert(document.domain);function test` alongside the text `Authentication Failed` — both must be present for a confirmed hit.
  • Shodan/FOFA fingerprint for exposed MailEnable instances: search for page title `MailEnable`.
  • ·Vulnerability only affects MailEnable versions prior to v10; v10 and later are not affected.
  • ·Exploitation requires user interaction (UI:R per CVSS), meaning a victim must click a crafted link for the XSS to execute.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.