Login Sign Up

CVE-2026-26266

9.3 CRITICAL
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in AliasVault Web Client allows attackers to inject malicious JavaScript into emails sent to any AliasVault email alias. When victims view these emails in the web client, the script executes with full application privileges, potentially compromising user accounts and sensitive data. All users of AliasVault Web Client versions 0.25.3 and lower are affected.

💻 Affected Systems

Products:
  • AliasVault Web Client
Versions: 0.25.3 and lower
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the web client interface when viewing emails through email aliases.

📦 What is this software?

Aliasvault by Aliasvault

View all CVEs affecting Aliasvault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, theft of all stored passwords and email aliases, unauthorized access to connected services, and potential lateral movement within the application.

🟠

Likely Case

Session hijacking, credential theft, unauthorized access to password vaults, and compromise of email aliases.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though XSS could still lead to session theft if exploited.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires sending crafted email to victim's alias, but no authentication needed for exploitation once email is viewed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.26.0

Vendor Advisory: https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Update AliasVault Web Client to version 0.26.0 or higher. 3. Restart the web client service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Email Rendering

all

Temporarily disable HTML email rendering in the web client to prevent XSS execution.

Configure web client to display emails as plain text only

Network Isolation

all

Restrict access to the web client interface to trusted networks only.

Configure firewall rules to limit web client access

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Deploy web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check web client version in admin interface or configuration files. If version is 0.25.3 or lower, system is vulnerable.

Check Version:

Check web client configuration or admin panel for version information

Verify Fix Applied:

Verify web client version is 0.26.0 or higher and test email rendering with known XSS payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual email viewing patterns
  • Multiple failed login attempts after email access
  • JavaScript errors in application logs

Network Indicators:

  • Suspicious email attachments or HTML content
  • Unusual outbound connections from web client

SIEM Query:

search 'email_view' AND 'javascript_error' OR 'iframe_srcdoc' in application logs

📊 Metadata

CVE ID: CVE-2026-26266
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: March 3, 2026
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26266, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)