{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3455", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-03-02T18:41:43.509Z", "datePublished": "2026-03-03T05:00:11.753Z", "dateUpdated": "2026-03-03T15:17:56.714Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P"}}], "credits": [{"value": "Ravishanker Kusuma", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-03-03T05:00:11.753Z"}, "descriptions": [{"value": "Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote \" to the URL with embedded malicious JavaScript code.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032"}, {"url": "https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08"}, {"url": "https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a"}, {"url": "https://github.com/nodemailer/mailparser/issues/412"}], "affected": [{"product": "mailparser", "versions": [{"version": "0", "lessThan": "3.9.3", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:07:11.759930Z", "id": "CVE-2026-3455", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:17:56.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3455", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T15:07:11.759930Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:11:40.011Z"}}], "cna": {"credits": [{"lang": "en", "value": "Ravishanker Kusuma"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "LOW"}, "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "mailparser", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.3", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032"}, {"url": "https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08"}, {"url": "https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a"}, {"url": "https://github.com/nodemailer/mailparser/issues/412"}], "descriptions": [{"lang": "en", "value": "Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote \" to the URL with embedded malicious JavaScript code."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-03-03T05:00:11.753Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3455", "state": "PUBLISHED", "dateUpdated": "2026-03-03T15:17:56.714Z", "dateReserved": "2026-03-02T18:41:43.509Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2026-03-03T05:00:11.753Z", "assignerShortName": "snyk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodemailer:mailparser:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E9F4D3A2-A90E-4385-86F6-FBB3262FFB5E", "versionEndExcluding": "3.9.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote \" to the URL with embedded malicious JavaScript code."}, {"lang": "es", "value": "Las versiones del paquete mailparser anteriores a la 3.9.3 son vulnerables a cross-site scripting (XSS) a trav\u00e9s de la funci\u00f3n textToHtml() debido a la sanitizaci\u00f3n incorrecta de las URL en el contenido del correo electr\u00f3nico. Un atacante puede ejecutar scripts arbitrarios en los navegadores de las v\u00edctimas al a\u00f1adir una comilla extra ' a la URL con c\u00f3digo JavaScript malicioso incrustado."}], "id": "CVE-2026-3455", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2026-03-03T05:17:25.240", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08"}, {"source": "report@snyk.io", "tags": ["Issue Tracking"], "url": "https://github.com/nodemailer/mailparser/issues/412"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "report@snyk.io", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.9.3)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "product": "mailparser", "vendor": "nodemailer"}], "analysis": {"en": {"generated_at": "2026-04-17T13:25:17.175032+00:00", "value": {"mitigation_remediation": ["Upgrade mailparser to version 3.9.3 or later, which contains the URL sanitization fix.", "Ensure that any HTML rendered from mailparser is further sanitized or escaped by the web application, avoiding direct insertion into the DOM without proper encoding.", "If an immediate upgrade is not feasible, apply a temporary workaround by stripping or neutralizing \"<script>\" tags and untrusted URLs from the parsed output before it reaches the browser."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Nodemailer mailparser JavaScript library, version 3.8.x and earlier, bundled with Node.js applications. Users running any version of mailparser older than 3.9.3 are exposed, including deployments that parse inbound email into HTML for display in web interfaces. Affected systems typically include Node.js servers that process marketing or support emails.", "description_and_impact": "mailparser\u2019s textToHtml() function fails to sanitize URLs correctly, allowing an attacker to inject malicious JavaScript through specially crafted email content. This cross\u2011site scripting flaw can execute arbitrary scripts in any browser that renders the parsed email, potentially exposing session data, credentials, or other sensitive information. The weakness is a classic client\u2011side XSS, identified by CWE\u201179. The attack vector is not explicitly stated but inferred from the description that an attacker can supply malicious URLs in email content.", "risk_and_exploitability": "With a CVSS base score of 5.1, the flaw has a medium severity and an EPSS of less than 1\u202f%, meaning it is low probability but possible to exploit if an attacker can supply crafted email content to a susceptible application. Since the flaw is client\u2011side, exploitation requires a victim to view the rendered email in a browser that trusts the output; the vulnerability is not in the mailparser code itself but in how its output is consumed. The flaw is not currently listed in CISA\u2019s Known Exploited Vulnerabilities catalog, but attackers could still target applications that fail to sanitize mailparser output. The requirement that a victim views the rendered email is inferred from the client\u2011side nature of the flaw."}}}}, "created": "2026-03-04T21:04:06.299819+00:00", "title": "mailparser Cross\u2011Site Scripting via textToHtml URL Sanitization", "updated": "2026-04-17T13:30:19.602462+00:00", "vendors": ["nodemailer", "nodemailer$PRODUCT$mailparser"]}