CVE-2025-68643
Unknown Unknown - Not Provided
Stored XSS in Axigen Mail Server timeFormat Preference

Publication date: 2026-02-05

Last updated on: 2026-02-11

Assigner: MITRE

Description
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68643
EUVD
EUVD-2025-206860
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axigen axigen_mail_server From 10.3.0 (inc) to 10.5.57 (exc)
axigen axigen_mail_server From 10.6.0 (inc) to 10.6.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-68643 is a stored Cross-Site Scripting (XSS) vulnerability in Axigen WebMail versions before 10.5.57. It occurs because the timeFormat account preference parameter is not properly sanitized when loaded from storage.'}, {'type': 'paragraph', 'content': "An attacker can exploit this vulnerability through a multi-stage attack. First, the attacker injects malicious JavaScript into the victim's timeFormat preference by exploiting another vulnerability or using compromised credentials. Then, when the victim logs into the WebMail interface, the malicious script is executed because the unsanitized timeFormat value is inserted into the webpage's DOM."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts including the execution of arbitrary JavaScript in the victim's browser. The attacker can redirect resource loading to attacker-controlled servers, display fake login forms, steal user credentials, hijack sessions, and exfiltrate sensitive data."}] [1]

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves checking if the Axigen WebMail server is running a vulnerable version (10.3.x, 10.4.x, 10.5.x up to 10.5.56, or 10.6.x up to 10.6.25) and verifying if the timeFormat account preference parameter has been tampered with to include malicious JavaScript payloads.

Since exploitation requires modification of the timeFormat preference, inspecting user account preferences for suspicious or unexpected JavaScript code in the timeFormat parameter can help detect compromise.

No specific commands are provided in the available resources for detection.

Mitigation Strategies

The recommended immediate mitigation is to update Axigen WebMail to fixed versions 10.5.57 or later, or 10.6.26 or later.

Additionally, reviewing and securing user credentials to prevent unauthorized modification of the timeFormat preference is important.

Monitoring and restricting access to the WebMail interface to trusted users can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart