CVE-2025-56425

EUVD-2026-1505
An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
Affected Products (NVD)
VendorProductVersion
optimal-systemsenaio
10.10.0.0 ≤
𝑥
< 10.10.0.183
optimal-systemsenaio
11.0.0.0 ≤
𝑥
< 11.0.0.183
optimal-systemsenaio
11.10.0.0 ≤
𝑥
< 11.10.0.183
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mind-bytes.de/smtp-injection-in-enaio-component-appconnector-cve-2025-56425/
https://www.optimal-systems.de/enaio