{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26266", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.412Z", "datePublished": "2026-03-03T22:16:15.387Z", "dateUpdated": "2026-03-04T16:52:03.957Z"}, "containers": {"cna": {"title": "AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q"}, {"name": "https://github.com/aliasvault/aliasvault/commit/382e2e96fa502891638a48404f6d82dc972ab481", "tags": ["x_refsource_MISC"], "url": "https://github.com/aliasvault/aliasvault/commit/382e2e96fa502891638a48404f6d82dc972ab481"}, {"name": "https://github.com/aliasvault/aliasvault/releases/tag/0.26.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/aliasvault/aliasvault/releases/tag/0.26.0"}], "affected": [{"vendor": "aliasvault", "product": "aliasvault", "versions": [{"version": "< 0.26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:16:15.387Z"}, "descriptions": [{"lang": "en", "value": "AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.["}], "source": {"advisory": "GHSA-f65p-p65r-g53q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:49:44.458482Z", "id": "CVE-2026-26266", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:52:03.957Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26266", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-04T16:49:44.458482Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:50:47.685Z"}}], "cna": {"title": "AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering", "source": {"advisory": "GHSA-f65p-p65r-g53q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "aliasvault", "product": "aliasvault", "versions": [{"status": "affected", "version": "< 0.26.0"}]}], "references": [{"url": "https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q", "name": "https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/aliasvault/aliasvault/commit/382e2e96fa502891638a48404f6d82dc972ab481", "name": "https://github.com/aliasvault/aliasvault/commit/382e2e96fa502891638a48404f6d82dc972ab481", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/aliasvault/aliasvault/releases/tag/0.26.0", "name": "https://github.com/aliasvault/aliasvault/releases/tag/0.26.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.["}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:16:15.387Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26266", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:52:03.957Z", "dateReserved": "2026-02-12T17:10:53.412Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-03T22:16:15.387Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aliasvault:aliasvault:*:*:*:*:*:*:*:*", "matchCriteriaId": "172C7352-14EF-4D15-B467-429505682C3F", "versionEndExcluding": "0.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.["}], "id": "CVE-2026-26266", "lastModified": "2026-03-05T21:22:01.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-03T23:15:54.877", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aliasvault/aliasvault/commit/382e2e96fa502891638a48404f6d82dc972ab481"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/aliasvault/aliasvault/releases/tag/0.26.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory", "Mitigation"], "url": "https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "aliasvault", "source": "cna", "vendor": "aliasvault"}, "product": "aliasvault", "vendor": "aliasvault"}], "analysis": {"en": {"generated_at": "2026-04-16T13:52:38.938638+00:00", "value": {"mitigation_remediation": ["Upgrade AliasVault to version 0.26.0 or later, which removes the insecure rendering approach and adds proper sanitization.", "If an immediate upgrade is not possible, disable HTML email rendering in the web client or enforce a content security policy that blocks inline scripts in the email view.", "Scan inbound emails for script tags or iframe elements and strip or quarantine those messages before they are displayed to users."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is AliasVault email aliasing and password manager, in all releases up through 0.25.3. The problem exists in the web client that handles email rendering. Users running any 0.25.3 or earlier version are susceptible. AliasVault is listed under the aliasvault vendor name in the CNA data. Version information that mitigates the issue starts at 0.26.0 as referenced by the release notes.", "description_and_impact": "A stored Cross\u2011Site Scripting vulnerability has been found in the AliasVault web client. The flaw resides in the manner by which received email messages that contain HTML are displayed. The application places the entire HTML body inside an iframe via the srcdoc attribute, and this rendering occurs without any sanitization or origin isolation. As a result, a malicious script contained in an email will run under the same origin as the AliasVault web client when the recipient opens the message. Because the code executes with the privileges of the application and can access user data stored in cookies or local storage, an attacker could steal credentials, inject malware, or otherwise manipulate the victim\u2019s session. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score is 9.3, marking it as critical. The EPSS score is less than 1\u202f%, indicating that real\u2011world exploitation is currently unlikely but possible. The vulnerability is not yet in the CISA KEV catalog. Attackers can exploit it by crafting an email with malicious JavaScript and sending it to any AliasVault alias. The victim must be logged into the web client to view the message for the exploit to succeed. Since the script runs with the same origin as AliasVault, it can bypass same\u2011origin policy restrictions and read session cookies or local storage, providing a wide attack surface."}}}}, "created": "2026-03-04T14:53:37.171937+00:00", "updated": "2026-04-16T14:00:19.465162+00:00", "vendors": ["aliasvault", "aliasvault$PRODUCT$aliasvault"]}