CVE-2025-56425

CRITICAL

enaio 10.10.0.0-10.10.0.183, 11.0.0-11.0.0.183, 11.10.0-11.10.0.183 - SMTP Command Injection via AppConnector Sendmail

Title source: llm

Description

An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://mind-bytes.de/smtp-injection-in-enaio-component-appconnector-cve-2025-56425/

Product

https://www.optimal-systems.de/enaio

Scores

CVSS v3 9.1

EPSS 0.0064

EPSS Percentile 45.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (1)

optimal-systems/enaio 10.10.0.0 - 10.10.0.183

Published Jan 08, 2026

Tracked Since Feb 18, 2026