CVE-2026-3455

6.1 MEDIUM
Published: March 03, 2026 Modified: March 13, 2026
View on NVD

Description

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a
Source: report@snyk.io
Exploit Third Party Advisory
https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08
Source: report@snyk.io
Patch
https://github.com/nodemailer/mailparser/issues/412
Source: report@snyk.io
Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032
Source: report@snyk.io
Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
0.0%
9th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

nodemailer

Related CVEs

CVE-2026-4510 4.3
CVE-2026-4373 7.5
CVE-2026-4509 6.3
CVE-2026-4261 8.8
CVE-2026-4161 4.4