CVE-2026-35460

MEDIUM

Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name

Title source: cna

Description

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: [email protected]), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.

References (1)

[X_Refsource_Confirm] https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 8.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-80

Status published

Products (1)

papra-hq/papra < 26.4.0

Published Apr 07, 2026

Tracked Since Apr 07, 2026