CVE-2025-68643
Unknown Unknown - Not Provided

Stored XSS in Axigen Mail Server timeFormat Preference

Vulnerability report for CVE-2025-68643, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-05

Last updated on: 2026-02-11

Assigner: MITRE

Description

Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-05
Last Modified
2026-02-11
Generated
2026-07-06
AI Q&A
2026-02-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
axigen axigen_mail_server From 10.3.0 (inc) to 10.5.57 (exc)
axigen axigen_mail_server From 10.6.0 (inc) to 10.6.26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-68643 is a stored Cross-Site Scripting (XSS) vulnerability in Axigen WebMail versions before 10.5.57. It occurs because the timeFormat account preference parameter is not properly sanitized when loaded from storage.'}, {'type': 'paragraph', 'content': "An attacker can exploit this vulnerability through a multi-stage attack. First, the attacker injects malicious JavaScript into the victim's timeFormat preference by exploiting another vulnerability or using compromised credentials. Then, when the victim logs into the WebMail interface, the malicious script is executed because the unsanitized timeFormat value is inserted into the webpage's DOM."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts including the execution of arbitrary JavaScript in the victim's browser. The attacker can redirect resource loading to attacker-controlled servers, display fake login forms, steal user credentials, hijack sessions, and exfiltrate sensitive data."}] [1]

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves checking if the Axigen WebMail server is running a vulnerable version (10.3.x, 10.4.x, 10.5.x up to 10.5.56, or 10.6.x up to 10.6.25) and verifying if the timeFormat account preference parameter has been tampered with to include malicious JavaScript payloads.

Since exploitation requires modification of the timeFormat preference, inspecting user account preferences for suspicious or unexpected JavaScript code in the timeFormat parameter can help detect compromise.

No specific commands are provided in the available resources for detection.

Mitigation Strategies

The recommended immediate mitigation is to update Axigen WebMail to fixed versions 10.5.57 or later, or 10.6.26 or later.

Additionally, reviewing and securing user credentials to prevent unauthorized modification of the timeFormat preference is important.

Monitoring and restricting access to the WebMail interface to trusted users can also reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart