CVE-2026-35460
HTML Injection in Papra Email Templates Enables Phishing Attacks
Publication date: 2026-04-07
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| papra | papra | to 26.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to inject arbitrary HTML into transactional emails sent by Papra, enabling phishing attacks that appear to originate from legitimate Papra notifications.
Such phishing attacks can lead to user deception and potential credential theft, which may result in unauthorized access to personal or sensitive data.
This risk of unauthorized access and deception could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user data and ensuring secure communication.
However, the CVE description and resources do not explicitly mention compliance impacts or regulatory considerations.
Can you explain this vulnerability to me?
CVE-2026-35460 is an HTML injection vulnerability in the Papra document management platform affecting versions prior to 26.4.0.
The vulnerability arises because Papra's transactional email templates (specifically verification and password reset emails) insert the user's display name directly into the HTML content without escaping or sanitizing it.
An attacker can register an account with a display name containing malicious HTML tags, which then get injected into these emails.
Since these emails are sent from the legitimate Papra domain, the injected HTML can be used to craft convincing phishing attacks that appear to come from official Papra notifications.
The root cause is the lack of sanitization or escaping of the user.name field before embedding it into the email HTML templates.
This issue is fixed in Papra version 26.4.0 by applying a sanitization function to the user display name before including it in email bodies.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject arbitrary HTML content into verification and password reset emails sent from Papra.
- Attackers can replace legitimate links with malicious URLs, enabling phishing or credential theft.
- They can inject fake security warnings or other deceptive content to trick users.
- Attackers may embed tracking pixels or external resources to monitor email delivery and user activity.
Because these emails come from the legitimate Papra domain, users are more likely to trust them, increasing the effectiveness of such attacks.
The vulnerability has a moderate severity with a CVSS score of 4.3, and requires low privileges and no user interaction to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining the content of verification and password reset emails sent by Papra to see if user display names containing HTML tags are injected without sanitization.
One practical approach is to register a test user account with a display name containing HTML tags (e.g., <b style="color:red">INJECTED</b>) and then trigger the sending of verification or password reset emails.
If you have access to the email logs or can intercept outgoing emails (for example, by enabling email logging or using a mail proxy), you can inspect the email bodies for unescaped HTML tags in the user name field.
For systems running Papra in a Docker environment with email logging enabled (EMAILS_DRY_RUN=true), you can check the logs for these emails.
Suggested commands might include:
- Register a test user with an HTML tag in the display name via the application UI or API.
- Trigger a password reset or verification email for that user.
- Use grep or similar tools to search email logs for injected HTML tags, e.g.:
- grep -i '<b style="color:red">INJECTED</b>' /path/to/email/logs
- Alternatively, capture outgoing emails with a tool like tcpdump or Wireshark filtering SMTP traffic and inspect the email content for unescaped HTML in the user name.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Papra to version 26.4.0 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, a temporary workaround is to sanitize or escape the user display name before it is embedded into the HTML email templates.
Specifically, apply the existing sanitize() function from the sanitize-html package to the user.name field in the verification and password reset email templates.
This can be done by modifying the email sending code to use:
- html: `<p>Hello ${sanitize(user.name)},</p> <p>Verify your email by clicking <a href="${url}">here</a></p>`.trim()
Alternatively, use lightweight HTML entity encoding libraries such as he or html-escaper to encode user input before embedding it.
Additionally, monitor email templates and user registrations for suspicious display names containing HTML tags and consider blocking or sanitizing such inputs at registration.