CVE-2026-32851

Name of the Vulnerable Software and Affected Versions MailEnable versions prior to 10.55

Description The software contains a reflected cross-site scripting issue in the webmail interface. This allows remote attackers to execute arbitrary JavaScript in a victim’s browser by using a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.

Recommendations Update MailEnable to version 10.55 or later.