CVE-2025-34490 | THREATINT

Description

GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.

PUBLISHED Reserved 2025-04-15 | Published 2025-04-28 | Updated 2025-11-19 | Assigner VulnCheck

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status

unaffected

Any version before 21.8

affected

Credits

Frycos finder

References

frycos.github.io/vulns4free/2025/04/28/mailessentials.html exploit technical-description

gfi.ai/...ssentials/resources/documentation/product-releases vendor-advisory

www.vulncheck.com/...-mailessentials-xxe-arbitrary-file-read third-party-advisory

cve.org (CVE-2025-34490)

nvd.nist.gov (CVE-2025-34490)

Download JSON