CVE-2026-25529
HTML Injection in Postal SMTP Server Admin Interface via API
Publication date: 2026-03-12
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| postalserver | postal | to 3.3.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25529 is an HTML injection vulnerability in Postal, an open source SMTP server, affecting versions prior to 3.3.5.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because unescaped data can be included in the admin interface, primarily through the API\'s "send/raw" method.'}, {'type': 'paragraph', 'content': 'This allows an attacker to inject arbitrary HTML into the admin page, which can modify the page in misleading ways or enable unauthorized JavaScript execution.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 3.3.5 and later.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized JavaScript execution within the Postal admin interface.
Such execution can modify the admin page in misleading ways, potentially deceiving administrators or exposing sensitive information.
The CVSS score of 8.1 indicates a high severity, with significant impact on confidentiality and integrity, though availability is not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability involves HTML injection via the API\'s "send/raw" method in Postal versions less than 3.3.5. Detection would involve monitoring or inspecting API calls to the "send/raw" endpoint for unescaped or suspicious HTML content.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows arbitrary HTML or JavaScript injection, you can detect it by checking the admin interface for unexpected or unauthorized HTML modifications or script executions.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the available resources to detect this vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Postal to version 3.3.5 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'As a partial workaround, avoid using the legacy API\'s "send/raw" method for message delivery, since the SMTP server sanitizes the characters "<" and ">", which reduces exposure to the vulnerability.'}] [1]