{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25529", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.373Z", "datePublished": "2026-03-12T16:35:33.384Z", "dateUpdated": "2026-03-12T17:57:37.553Z"}, "containers": {"cna": {"title": "Postal has HTML injection / XSS in message view", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc"}], "affected": [{"vendor": "postalserver", "product": "postal", "versions": [{"version": "< 3.3.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T16:35:33.384Z"}, "descriptions": [{"lang": "en", "value": "Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's \"send/raw\" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher."}], "source": {"advisory": "GHSA-5f4r-5jpr-rfhc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T17:57:23.299542Z", "id": "CVE-2026-25529", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:57:37.553Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T17:57:23.299542Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:57:31.875Z"}}], "cna": {"title": "Postal has HTML injection / XSS in message view", "source": {"advisory": "GHSA-5f4r-5jpr-rfhc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "postalserver", "product": "postal", "versions": [{"status": "affected", "version": "< 3.3.5"}]}], "references": [{"url": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc", "name": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's \"send/raw\" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T16:35:33.384Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25529", "state": "PUBLISHED", "dateUpdated": "2026-03-12T17:57:37.553Z", "dateReserved": "2026-02-02T19:59:47.373Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T16:35:33.384Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postalserver:postal:*:*:*:*:*:*:*:*", "matchCriteriaId": "A49508C5-16FE-4F8B-81F7-980BD5DFD627", "versionEndExcluding": "3.3.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's \"send/raw\" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher."}, {"lang": "es", "value": "Postal es un servidor SMTP de c\u00f3digo abierto. Las versiones de Postal anteriores a la 3.3.5 ten\u00edan una vulnerabilidad de inyecci\u00f3n HTML que permit\u00eda incluir datos sin escapar en la interfaz de administraci\u00f3n. La forma principal de a\u00f1adir datos sin escapar es a trav\u00e9s del m\u00e9todo 'send/raw' de la API. Esto podr\u00eda permitir la inyecci\u00f3n de HTML arbitrario en la p\u00e1gina, lo que podr\u00eda modificar la p\u00e1gina de forma enga\u00f1osa o permitir la ejecuci\u00f3n de javascript no autorizado. Corregido en la versi\u00f3n 3.3.5 y posteriores."}], "id": "CVE-2026-25529", "lastModified": "2026-03-19T17:53:51.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T17:16:46.953", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "postal", "source": "cna", "vendor": "postalserver"}, "product": "postal", "vendor": "postalserver"}], "analysis": {"en": {"generated_at": "2026-03-19T19:26:10.583522+00:00", "value": {"mitigation_remediation": ["Upgrade Postal to version 3.3.5 or newer"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Postal server versions prior to 3.3.5 are affected. The vulnerability is present in all generally available releases of Postal via the postalserver:postal product line and has been fixed in version 3.3.5 and later.", "description_and_impact": "Postal, the open source SMTP server, has a vulnerability that allows unescaped HTML to be injected in the admin message view. The issue arises when data passed through the API\u2019s \"send/raw\" endpoint is rendered without proper sanitization, enabling an attacker to inject arbitrary HTML or JavaScript. This can modify the user interface in a misleading way or allow unauthorized script execution, representing a classic Cross\u2011Site Scripting flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 8.1 marks this vulnerability as high severity. The EPSS score is reported as less than 1\u202f%, indicating low current exploit prevalence, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires sending a crafted payload through the public \"send/raw\" API endpoint, and success would result in HTML injection into the administrative interface for users who view the affected message. The attack vector is inferred from the description, as explicit details are not provided in the data."}}}}, "created": "2026-03-13T09:51:07.083090+00:00", "updated": "2026-03-20T15:48:59.038191+00:00", "vendors": ["postalserver", "postalserver$PRODUCT$postal"]}