Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
Mailparser Allows Malicious Email Code to Run on Your Browser
CVE-2026-3455
GHSA-7gmj-h9xc-mcxc
Summary
If you use mailparser, a library that helps process email data, and you're using a version older than 3.9.3, an attacker could trick your users into running malicious code by sending a specially crafted email. This is a risk because it allows an attacker to take control of your users' browsers. To fix this, update to version 3.9.3 or later.
What to do
- Update GitHub Actions mailparser to version 3.9.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | mailparser | <= 3.9.3 | 3.9.3 |
Original title
mailparser vulnerable to Cross-site Scripting
Original description
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a
- https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4...
- https://github.com/nodemailer/mailparser/issues/412
- https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032
- https://nvd.nist.gov/vuln/detail/CVE-2026-3455
- https://github.com/advisories/GHSA-7gmj-h9xc-mcxc
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026