CVE-2026-3455: mailparser vulnerable to Cross-site Scripting
(updated )
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.
References
- gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a
- github.com/advisories/GHSA-7gmj-h9xc-mcxc
- github.com/nodemailer/mailparser
- github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08
- github.com/nodemailer/mailparser/issues/412
- nvd.nist.gov/vuln/detail/CVE-2026-3455
- security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032
Code Behaviors & Features
Detect and mitigate CVE-2026-3455 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →