CVE-2026-3455 – CVE-2026-3455 is a cross-site scripting vulnera... (How to Fix)

Q: What is the severity of CVE-2026-3455?

CVE-2026-3455 has a CVSS score of 6.1 (MEDIUM). CVE-2026-3455 is a cross-site scripting vulnerability in mailparser versions before 3.9.3 where the textToHtml() function fails to properly sanitize URLs in email content. Attackers can inject malicious JavaScript by adding extra quotes to URLs, potentially executing arbitrary scripts in victims' browsers. This affects any application using vulnerable versions of the mailparser package to process email content.

📋 TL;DR

CVE-2026-3455 is a cross-site scripting vulnerability in mailparser versions before 3.9.3 where the textToHtml() function fails to properly sanitize URLs in email content. Attackers can inject malicious JavaScript by adding extra quotes to URLs, potentially executing arbitrary scripts in victims' browsers. This affects any application using vulnerable versions of the mailparser package to process email content.

💻 Affected Systems

Products:

mailparser

Versions: All versions before 3.9.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the textToHtml() function on untrusted email content. The vulnerability is in the package itself, not dependent on specific OS configurations.

📦 What is this software?

Mailparser by Nodemailer

View all CVEs affecting Mailparser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware through drive-by downloads.

🟠

Likely Case

Attackers could steal user credentials, session tokens, or perform limited actions within the context of the vulnerable email parsing application.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to potential data leakage from the email parsing context only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with publicly available details. Attackers need to craft malicious email content that gets processed by vulnerable systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.3

Vendor Advisory: https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08

Restart Required: No

Instructions:

1. Update mailparser package to version 3.9.3 or later using npm update mailparser. 2. Verify the update with npm list mailparser. 3. Test email parsing functionality to ensure compatibility.

🔧 Temporary Workarounds

Input Sanitization Wrapper

all

Implement custom URL sanitization before passing content to textToHtml() function

// JavaScript example: const sanitizedContent = content.replace(/\"(javascript:|data:)/gi, '')

🧯 If You Can't Patch

Disable or avoid using textToHtml() function on untrusted email content
Implement Content Security Policy headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list mailparser to see if version is below 3.9.3

Check Version:

npm list mailparser | grep mailparser

Verify Fix Applied:

Verify mailparser version is 3.9.3 or higher with npm list mailparser and test with known malicious email content

📡 Detection & Monitoring

Log Indicators:

Unusual email parsing errors
Multiple failed parsing attempts
Log entries showing malformed URLs in email processing

Network Indicators:

Unusual outbound connections from email processing servers
Traffic patterns suggesting data exfiltration

SIEM Query:

source="application_logs" AND ("textToHtml" OR "mailparser") AND ("error" OR "malformed" OR "javascript:")

📊 Metadata

CVE ID: CVE-2026-3455

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: March 3, 2026

Last Updated: March 13, 2026

🔗 References

https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a Exploit,Third Party Advisory
https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08 Patch
https://github.com/nodemailer/mailparser/issues/412 Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3455, you might also want to check these: