CVE-2025-34490

Published: Apr 28, 2025Modified: Nov 4, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.

Affected (1)

Products: Gfi: Mailessentials

Gfi

1 product

Mailessentials

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gfi Mailessentials	Before 21.8

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (3)

https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html

Source: disclosure@vulncheck.com

Exploit

https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases

Source: disclosure@vulncheck.com

Release Notes

https://www.vulncheck.com/advisories/gfi-mailessentials-xxe-arbitrary-file-read

Source: disclosure@vulncheck.com

Timeline

No history available yet.