← Volver a CVEs

CVE-2026-3455

MEDIUM

6.1

Descripcion

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

Detalles CVE

Puntuacion CVSS v3.16.1

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioREQUIRED

Publicado3/3/2026

Ultima modificacion3/13/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

nodemailer:mailparser

Debilidades (CWE)

CWE-79

Referencias

https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a(report@snyk.io)

https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08(report@snyk.io)

https://github.com/nodemailer/mailparser/issues/412(report@snyk.io)

https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032(report@snyk.io)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.