CVE-2026-3455 - CVE Alert System

Basic Information

Severity	MEDIUM
Base Score	6.1
CNA	snyk
Published Date	2026-03-03 00:00:11 UTC
Last Modified	2026-03-03 00:00:11 UTC
CVE.org Link	https://www.cve.org/CVERecord?id=CVE-2026-3455
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3455

Description

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

Affected Products

Vendor	Product
n/a	mailparser

References

https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032
https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08
https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a
https://github.com/nodemailer/mailparser/issues/412

Back to Lookup View on CVE.org