CVE-2025-62380: Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails

October 15, 2025 (updated November 10, 2025)

An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Projecta are affected if the Mailgen.generatePlaintext(email) method is used and passed in user-generated content. The issue was discovered and reported by Edoardo Ottavianelli (@edoardottt).

References

github.com/advisories/GHSA-q4w9-x3rv-4c8j
github.com/eladnava/mailgen
github.com/eladnava/mailgen/commit/7a791a424ff3a3f7783f8750919f1e98639924a8
github.com/eladnava/mailgen/security/advisories/GHSA-q4w9-x3rv-4c8j
nvd.nist.gov/vuln/detail/CVE-2025-62380

Code Behaviors & Features

Detect and mitigate CVE-2025-62380 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →