CVE-2025-44148 PoC — MailEnable 安全漏洞

Source

https://github.com/barisbaydur/CVE-2025-44148

Associated Vulnerability

Title:MailEnable 安全漏洞 (CVE-2025-44148)
Description:Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component

Description

A reflected cross-site scripting (XSS) vulnerability exists in MailEnable Webmail due to improper user input sanitization in the failure.aspx. This allows a remote attacker to inject arbitrary JavaScript code via a crafted URL, which is then reflected in the server's response and executed in the context of the user's browser session.

Readme

# CVE-2025-44148 - Reflected Cross-Site Scripting (Reflected XSS)
Reflected Cross-Site Scripting (XSS) in MailEnable<br/>
Vendor: MailEnable Pty. Ltd.<br/>
Affected Versions: <10

# Description
A reflected cross-site scripting (XSS) vulnerability exists in MailEnable Webmail due to improper user input sanitization in the failure.aspx. This allows a remote attacker to inject arbitrary JavaScript code via a crafted URL, which is then reflected in the server's response and executed in the context of the user's browser session.

# POC
- Go to **/Mondo/lang/sys/Failure.aspx?state=19753** Page
- Use **%22;}alert(1);function%20test(){%22** Paylaod for exploitation
<br/><br/>
![2](https://github.com/user-attachments/assets/3ff590f5-a5da-4b50-b36b-0982ee2e4600)

File Snapshot


 [4.0K]  /data/pocs/c5d8a49cdf3f778f3faca67177f0b9945f934792
└── [ 763]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!