CVE-2026-35460
MEDIUMPapra <26.4.0 Transactional Emails - HTML Injection
Title source: manualDescription
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: [email protected]), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4
Scores
CVSS v3
4.3
EPSS
0.0019
EPSS Percentile
9.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-80
Status
published
Products (1)
papra-hq/papra
< 26.4.0
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026