cbcvebase.
CVE-2025-68723
published 2026-02-05

CVE-2025-68723: Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the…

PriorityP344critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
0.26%
17.4th percentile
Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions.

Affected

2 ranges
VendorProductVersion rangeFixed in
axigenaxigen_mail_server>= 10.3.0 < 10.5.5710.5.57
axigenaxigen_mail_server>= 10.6.0 < 10.6.2610.6.26
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.