CVE-2025-68723CRITICAL 9.0EPSS p17.3%

CVE-2025-68723CVE-2025-68723

Description

Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.26% probability of exploitation · percentile 17.3% · 2026-06-18T12:00:27Z
Published2026-02-05
Last modified2026-02-13

Underlying weaknesses· 1

CWE-79

References

  1. https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Stored-XSS-Vulnerabilities-CVE-2025-68723-_408.html
  2. https://www.axigen.com/mail-server/download/
  3. https://github.com/osmancanvural/CVE-2025-68723

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-68721
CVE
CVE-2025-68722
CVE
CVE-2025-44148
CVE
CVE-2025-67823
CVE
CVE-2025-29471
CVE
CVE-2026-48297
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.