← Back

CVE-2025-68643

nvd nist
Published: Feb 5, 2026Modified: Feb 11, 2026

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.3 / Impact: 2.7
Source: NVD

Description

Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute.

Affected (2)

Axigen
1 product
Axigen Mail Server
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Axigen
Axigen Mail Server
From 10.3.0 to 10.5.57
Axigen Mail Server
From 10.6.0 to 10.6.26

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Product

Timeline

No history available yet.