Description

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: [email protected]), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.

INFO

Published Date :

2026-04-07T14:26:52.943Z

Last Modified :

2026-04-07T15:59:07.465Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35460 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35460.

URL Resource
https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact