CVE-2025-68723

CRITICAL

Axigen Mail Server <10.5.57 - XSS

Title source: llm

Description

Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions.

Exploits (1)

nomisec WRITEUP
by osmancanvural · poc
https://github.com/osmancanvural/CVE-2025-68723

References (3)

Scores

CVSS v3 9.0
EPSS 0.0001
EPSS Percentile 1.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (1)
axigen/axigen_mail_server 10.3.0 - 10.5.57
Published Feb 05, 2026
Tracked Since Feb 18, 2026