CVE-2026-3455

MEDIUM 6.1

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

CWE	CWE-79
Vendor	n/a
Product	mailparser
Published	Mar 3, 2026
Last Updated	Mar 3, 2026

Stay Ahead of the Next One

Get instant alerts for n/a mailparser

Be the first to know when new medium vulnerabilities affecting n/a mailparser are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

n/a / mailparser

0 < 3.9.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.snyk.io: https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032 github.com: https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08 gist.github.com: https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a github.com: https://github.com/nodemailer/mailparser/issues/412

Credits

Ravishanker Kusuma