Login Sign Up

CVE-2024-26151

8.2 HIGH
Cross-Site Scripting

📋 TL;DR

CVE-2024-26151 is an input validation vulnerability in the mjml PyPI package that allows cross-site scripting (XSS) attacks when untrusted data is inserted into MJML templates. Attackers who can control data that gets injected into templates can execute arbitrary JavaScript in email recipients' browsers. All users of FelixSchwarz/mjml-python versions 0.10.0 to 0.10.x are affected.

💻 Affected Systems

Products:
  • FelixSchwarz/mjml-python (mjml PyPI package)
Versions: 0.10.0 to 0.10.x (versions before 0.10.0 are not affected)
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when processing untrusted user input in MJML templates that are rendered as HTML emails.

📦 What is this software?

Mjml Python by Felixschwarz

View all CVEs affecting Mjml Python →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in email recipients' browsers, potentially stealing session cookies, credentials, or performing phishing attacks with legitimate-looking emails.

🟠

Likely Case

Email content manipulation allowing attackers to inject malicious scripts that execute when recipients view emails in vulnerable email clients.

🟢

If Mitigated

No impact if proper input validation/sanitization is implemented or if the vulnerable library is not used with untrusted data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires attacker to control input that gets inserted into MJML templates, which then gets sent as email to other users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.0

Vendor Advisory: https://github.com/FelixSchwarz/mjml-python/security/advisories/GHSA-578p-fxmm-6229

Restart Required: No

Instructions:

1. Update mjml package: pip install --upgrade mjml==0.11.0
2. Verify the update with: pip show mjml
3. Test email template rendering with sample malicious inputs to ensure proper escaping.

🔧 Temporary Workarounds

Input Sanitization Workaround

all

Implement strict input validation and HTML entity escaping for all user-controlled data before inserting into MJML templates.

🧯 If You Can't Patch

  • Implement server-side input validation to reject or sanitize HTML/JavaScript sequences in user input
  • Use alternative email template systems that properly escape user input

🔍 How to Verify

Check if Vulnerable:

Check installed mjml version: pip show mjml | grep Version
If version is 0.10.0 to 0.10.x and you process untrusted user input in MJML templates, you are vulnerable.

Check Version:

pip show mjml | grep Version

Verify Fix Applied:

After updating to 0.11.0, test with malicious input like '<script>alert(1)</script>' in MJML templates and verify it gets properly escaped in output HTML.

📡 Detection & Monitoring

Log Indicators:

  • Unusual email content patterns, unexpected HTML/script tags in email generation logs

Network Indicators:

  • Emails containing unexpected script tags or JavaScript code

SIEM Query:

Search for email generation events with suspicious patterns like '<script>' or JavaScript code in template rendering logs

📊 Metadata

CVE ID: CVE-2024-26151
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L
CWE: CWE-20
Published: February 22, 2024
Last Updated: February 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26151, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)