Postal SMTP Server: Admin Interface Data Tampering Risk

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.1

Postal SMTP Server: Admin Interface Data Tampering Risk

CVE-2026-25529

Summary

Versions of Postal SMTP server below 3.3.5 have a security flaw that could let attackers inject malicious HTML code into the admin interface, potentially changing its appearance or running unauthorized scripts. This affects all users of affected versions. Update to version 3.3.5 or later to fix the issue.

Original title

Original description

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.

nvd CVSS3.1 8.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc

Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026