CVE-2026-3455

MEDIUM

mailparser < 3.9.3 - Cross-Site Scripting via textToHtml URL Sanitization Bypass

Title source: llm

Description

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

References (4)

Core 4

Core References

Various Sources

https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a

Patch

https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08

View Patch ZIP pw:eip

Issue Tracking

https://github.com/nodemailer/mailparser/issues/412

Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032

Scores

CVSS v3 6.1

EPSS 0.0006

EPSS Percentile 17.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

nodemailer/mailparser < 3.9.3

npm/mailparser 0 - 3.9.3npm

Published Mar 03, 2026

Tracked Since Mar 03, 2026