CVE-2026-25529 - Vulnerability Details - OpenCVE

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc

History

Thu, 12 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.
Title		Postal has HTML injection / XSS in message view
Weaknesses		CWE-79
References		https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-12T16:35:33.384Z

Updated: 2026-03-12T17:57:37.553Z

Reserved: 2026-02-02T19:59:47.373Z

Link: CVE-2026-25529

Vulnrichment

Updated: 2026-03-12T17:57:31.875Z

NVD

Status : Awaiting Analysis

Published: 2026-03-12T17:16:46.953

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-25529

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25529", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.373Z", "datePublished": "2026-03-12T16:35:33.384Z", "dateUpdated": "2026-03-12T17:57:37.553Z"}, "containers": {"cna": {"title": "Postal has HTML injection / XSS in message view", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc"}], "affected": [{"vendor": "postalserver", "product": "postal", "versions": [{"version": "< 3.3.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T16:35:33.384Z"}, "descriptions": [{"lang": "en", "value": "Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's \"send/raw\" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher."}], "source": {"advisory": "GHSA-5f4r-5jpr-rfhc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T17:57:23.299542Z", "id": "CVE-2026-25529", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:57:37.553Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T17:57:23.299542Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:57:31.875Z"}}], "cna": {"title": "Postal has HTML injection / XSS in message view", "source": {"advisory": "GHSA-5f4r-5jpr-rfhc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "postalserver", "product": "postal", "versions": [{"status": "affected", "version": "< 3.3.5"}]}], "references": [{"url": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc", "name": "https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's \"send/raw\" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T16:35:33.384Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25529", "state": "PUBLISHED", "dateUpdated": "2026-03-12T17:57:37.553Z", "dateReserved": "2026-02-02T19:59:47.373Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T16:35:33.384Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}