CVE-2025-59526
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-22

Assigner: GitHub, Inc.

Description
mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Prior to version 2.0.30, there is an HTML injection vulnerability in plaintext e-mails generated by Mailgen. Projects are affected if the Mailgen.generatePlaintext(email) method is used and given user-generated content. This vulnerability has been patched in version 2.0.30. A workaround involves stripping all HTML tags before passing any content into Mailgen.generatePlaintext(email).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-22
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59526
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eladnava mailgen *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTML injection issue in the Mailgen Node.js package versions prior to 2.0.30. It occurs in the Mailgen.generatePlaintext(email) method when it processes user-generated content without properly sanitizing it. This allows malicious HTML code to be injected into plaintext emails, potentially causing unintended rendering or execution of HTML in email clients. The vulnerability was fixed in version 2.0.30 by improving the HTML tag stripping mechanism. [1, 2]

Impact Analysis

If you use Mailgen.generatePlaintext(email) with user-generated content in affected versions, an attacker could inject malicious HTML into plaintext emails. This could lead to unexpected email content rendering or potentially exploit email client vulnerabilities. Although the severity is low, it may affect the integrity and safety of transactional emails sent using Mailgen. [1]

Detection Guidance

To detect this vulnerability, you should check if your project uses the Mailgen package with a version prior to 2.0.30 and if it calls the Mailgen.generatePlaintext(email) method with user-generated content. There are no specific network or system commands provided to detect the vulnerability directly. However, you can inspect your package.json or lock files for the Mailgen version and review your code for usage of generatePlaintext with unsanitized input. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the Mailgen package to version 2.0.30 or later, where the vulnerability is patched. As a workaround, manually strip all HTML tags from any user-generated content before passing it to Mailgen.generatePlaintext(email). This can be done by applying a robust HTML tag stripping method that handles multiline tags, similar to the updated regular expression in the patch. This prevents malicious HTML injection in plaintext emails. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart