CVE-2026-25529
Received Received - Intake
HTML Injection in Postal SMTP Server Admin Interface via API

Publication date: 2026-03-12

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25529
EUVD
EUVD-2026-11603
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
postalserver postal to 3.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25529 is an HTML injection vulnerability in Postal, an open source SMTP server, affecting versions prior to 3.3.5.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because unescaped data can be included in the admin interface, primarily through the API\'s "send/raw" method.'}, {'type': 'paragraph', 'content': 'This allows an attacker to inject arbitrary HTML into the admin page, which can modify the page in misleading ways or enable unauthorized JavaScript execution.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 3.3.5 and later.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized JavaScript execution within the Postal admin interface.

Such execution can modify the admin page in misleading ways, potentially deceiving administrators or exposing sensitive information.

The CVSS score of 8.1 indicates a high severity, with significant impact on confidentiality and integrity, though availability is not affected.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability involves HTML injection via the API\'s "send/raw" method in Postal versions less than 3.3.5. Detection would involve monitoring or inspecting API calls to the "send/raw" endpoint for unescaped or suspicious HTML content.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows arbitrary HTML or JavaScript injection, you can detect it by checking the admin interface for unexpected or unauthorized HTML modifications or script executions.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the available resources to detect this vulnerability.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Postal to version 3.3.5 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'As a partial workaround, avoid using the legacy API\'s "send/raw" method for message delivery, since the SMTP server sanitizes the characters "<" and ">", which reduces exposure to the vulnerability.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25529. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart