CVE-2025-59526: Mailgen: HTML injection vulnerability in plaintext e-mails

September 22, 2025 (updated September 23, 2025)

An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Your project is affected if you use the Mailgen.generatePlaintext(email); method and pass in user-generated content. The issue was discovered and reported by Edoardo Ottavianelli (@edoardottt).

References

github.com/advisories/GHSA-j2xj-h7w5-r7vp
github.com/eladnava/mailgen
github.com/eladnava/mailgen/commit/741a0190ddae0f408b22ae3b5f0f4c3f5cf4f11d
github.com/eladnava/mailgen/security/advisories/GHSA-j2xj-h7w5-r7vp
nvd.nist.gov/vuln/detail/CVE-2025-59526

Code Behaviors & Features

Detect and mitigate CVE-2025-59526 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →