CVE-2025-62366: Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails

October 14, 2025

An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Your project is affected if you use the Mailgen.generatePlaintext(email) method and pass in user-generated content. The issue was discovered and reported by Edoardo Ottavianelli (@edoardottt).

References

github.com/advisories/GHSA-xw6r-chmh-vpmj
github.com/eladnava/mailgen
github.com/eladnava/mailgen/commit/7279a983481d05c51aa451e86146f98aaa42fee9
github.com/eladnava/mailgen/security/advisories/GHSA-xw6r-chmh-vpmj
nvd.nist.gov/vuln/detail/CVE-2025-62366

Code Behaviors & Features

Detect and mitigate CVE-2025-62366 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →