cbcvebase.

Axigen Mail Server vulnerabilities

9 known vulnerabilities affecting axigen/axigen_mail_server.

Total CVEs
9
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2023-48974P2CRITICALCVSS 9.6PoC≤ 10.5.72024-02-08
CVE-2023-48974 [CRITICAL] CWE-79 CVE-2023-48974: Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.
nvd
CVE-2020-26942P2CRITICALCVSS 9.1≥ 10.3.0, < 10.3.1.27≥ 10.3.2.0, < 10.3.3.12024-03-21
CVE-2020-26942 [CRITICAL] CWE-306 CVE-2020-26942: An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allow An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting a new arbitrary password for the admin account.
nvd
CVE-2025-68721P3HIGHCVSS 8.1≥ 10.3.0, < 10.5.57≥ 10.6.0, < 10.6.262026-02-05
CVE-2025-68721 [HIGH] CWE-284 CVE-2025-68721: Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certi
nvd
CVE-2023-23566P3CRITICALCVSS 9.8v10.3.3.522023-01-13
CVE-2023-23566 [CRITICAL] CWE-276 CVE-2023-23566: A 2-Step Verification problem in Axigen 10.3.3.52 allows an attacker to access a mailbox by bypassin A 2-Step Verification problem in Axigen 10.3.3.52 allows an attacker to access a mailbox by bypassing 2-Step Verification when they try to add an account to any third-party webmail service (or add an account to Outlook or Gmail, etc.) with IMAP or POP3 without any verification code.
nvd
CVE-2025-68722P3HIGHCVSS 8.8≥ 10.3.0, < 10.5.57≥ 10.6.0, < 10.6.262026-02-05
CVE-2025-68722 [HIGH] CWE-352 CVE-2025-68722: Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (C Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter im
nvd
CVE-2025-68723P3CRITICALCVSS 9.0≥ 10.3.0, < 10.5.57≥ 10.6.0, < 10.6.262026-02-05
CVE-2025-68723 [CRITICAL] CWE-79 CVE-2025-68723: Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilitie Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Li
nvd
CVE-2012-2592P4MEDIUMCVSS 4.3PoCv8.0.12014-06-18
CVE-2012-2592 [MEDIUM] CWE-79 CVE-2012-2592: Cross-site scripting (XSS) vulnerability in Axigen Mail Server 8.0.1 allows remote attackers to inje Cross-site scripting (XSS) vulnerability in Axigen Mail Server 8.0.1 allows remote attackers to inject arbitrary web script or HTML via the body of an email.
nvd
CVE-2025-68643P4MEDIUMCVSS 5.4≥ 10.3.0, < 10.5.57≥ 10.6.0, < 10.6.262026-02-05
CVE-2025-68643 [MEDIUM] CWE-79 CVE-2025-68643: Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the ti Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromis
nvd
CVE-2015-5379P4MEDIUMCVSS 5.4v8.0v8.0.1+7 more2017-10-23
CVE-2015-5379 [MEDIUM] CWE-79 CVE-2015-5379: Cross-site scripting (XSS) vulnerability in actions.hsp in the Ajax WebMail interface in AXIGEN Mail Cross-site scripting (XSS) vulnerability in actions.hsp in the Ajax WebMail interface in AXIGEN Mail Server before 9.0 allows remote attackers to inject arbitrary web script or HTML via an email attachment.
nvd
Axigen Mail Server vulnerabilities | cvebase