CVE-2026-3455

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a	Exploit Third Party Advisory
https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08	Patch
https://github.com/nodemailer/mailparser/issues/412	Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nodemailer:mailparser:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-03 05:17

Updated : 2026-03-13 17:53

NVD link : CVE-2026-3455

Mitre link : CVE-2026-3455

CVE.ORG link : CVE-2026-3455

JSON object : View

Products Affected

nodemailer

mailparser

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-3455", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-03T05:17:25.240", "references": [{"url": "https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://github.com/nodemailer/mailparser/issues/412", "tags": ["Issue Tracking"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote \" to the URL with embedded malicious JavaScript code."}, {"lang": "es", "value": "Las versiones del paquete mailparser anteriores a la 3.9.3 son vulnerables a cross-site scripting (XSS) a trav\u00e9s de la funci\u00f3n textToHtml() debido a la sanitizaci\u00f3n incorrecta de las URL en el contenido del correo electr\u00f3nico. Un atacante puede ejecutar scripts arbitrarios en los navegadores de las v\u00edctimas al a\u00f1adir una comilla extra ' a la URL con c\u00f3digo JavaScript malicioso incrustado."}], "lastModified": "2026-03-13T17:53:26.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodemailer:mailparser:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E9F4D3A2-A90E-4385-86F6-FBB3262FFB5E", "versionEndExcluding": "3.9.3"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}