Description

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

INFO

Published Date :

2026-03-03T05:00:11.753Z

Last Modified :

2026-03-03T15:17:56.714Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2026-3455 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-3455.

URL Resource
https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a cve-icon cve-icon
https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08 cve-icon cve-icon
https://github.com/nodemailer/mailparser/issues/412 cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact