{"id":"CVE-2026-25529","summary":"Postal has HTML injection / XSS in message view","details":"Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's \"send/raw\" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.","aliases":["GHSA-5f4r-5jpr-rfhc"],"modified":"2026-04-02T13:15:14.253848Z","published":"2026-03-12T16:35:33.384Z","database_specific":{"cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25529.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25529.json"},{"type":"ADVISORY","url":"https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25529"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/postalserver/postal","events":[{"introduced":"0"},{"fixed":"d532922ff7f51e096a69fd97a2f0a37386e60243"}]}],"versions":["2.0.0","2.0.0-beta.1","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.2.0","2.2.1","2.2.2","2.3.0","2.3.1","2.3.2","3.0.0","3.0.1","3.0.2","3.1.0","3.1.1","3.2.0","3.2.1","3.2.2","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25529.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}