CVE-2026-3455
Received Received - Intake
Cross-site Scripting in mailparser textToHtml() Allows Script Execution

Publication date: 2026-03-03

Last updated on: 2026-04-29

Assigner: Snyk

Description
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3455
EUVD
EUVD-2026-9279
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nodemailer mailparser to 3.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-3455 is a Cross-site Scripting (XSS) vulnerability in the mailparser npm package versions before 3.9.3. It occurs in the textToHtml() function, which improperly sanitizes URLs in email content. Attackers can inject malicious JavaScript by adding extra quotation marks to URLs, causing the generated HTML anchor tags to break out of their attribute context and execute arbitrary scripts in the victim's browser."}, {'type': 'paragraph', 'content': 'Specifically, the vulnerability arises because URLs and link text are inserted directly into the href attribute and link text without proper escaping or encoding. For example, a malicious URL like http://google.com?"onmouseover="alert(\'XSS\')" results in an anchor tag that executes JavaScript when a user interacts with it.'}, {'type': 'paragraph', 'content': 'This vulnerability allows attackers to bypass the Same Origin Policy and execute scripts in the context of trusted websites, potentially leading to cookie theft, session hijacking, and other malicious actions.'}] [1, 2, 4]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in your browser when you process malicious emails using the affected mailparser versions. This can lead to several security risks including:

  • Stealing cookies and session tokens, which can lead to account hijacking.
  • Exposing sensitive information displayed or accessible in the browser.
  • Hijacking user sessions and impersonating users.
  • Accessing privileged services or performing unauthorized actions.
  • Delivering malware or further malicious payloads through the browser.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by analyzing email content processed by the mailparser package, specifically looking for malicious URLs containing extra double quotes that break out of HTML attributes and inject JavaScript code.'}, {'type': 'paragraph', 'content': "A practical detection method involves parsing suspicious emails with a test script using the mailparser library's simpleParser function to generate HTML output and then inspecting the output for injected event handlers or script tags."}, {'type': 'paragraph', 'content': 'For example, a proof-of-concept test script can parse a crafted .eml email file containing a malicious URL like `http://google.com?"onmouseover="alert(\'XSS\')"` and write the vulnerable HTML output to a file (e.g., poc_output.html). Opening this file in a browser will trigger the XSS alert if the vulnerability is present.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided in the resources, but monitoring email processing logs and scanning for suspicious URLs with embedded quotes in email content processed by mailparser can help detect exploitation attempts.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

The primary and immediate mitigation step is to upgrade the mailparser package to version 3.9.3 or later, where the vulnerability has been fixed.

The fix involves escaping double quotes in URLs before inserting them into HTML anchor tags and HTML-encoding the link text to prevent injection of malicious scripts.

  • Upgrade mailparser to version 3.9.3 or later.
  • Sanitize and validate all user inputs, especially URLs extracted from emails.
  • Escape special characters in URLs and link text before embedding them into HTML.
  • Implement Content Security Policies (CSP) to restrict execution of unauthorized scripts.
  • Disable client-side scripts where possible to reduce attack surface.
  • Redirect or block invalid requests containing suspicious URL patterns.
  • Detect and invalidate simultaneous logins to reduce session hijacking risks.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart