Cyber Resilience

CVE-2026-25529

High

Published: 12 March 2026

Published
12 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0024 14.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25529 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Postalserver Postal. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-25529 is an HTML injection vulnerability (CWE-79) affecting Postal, an open source SMTP server, in versions prior to 3.3.5. The flaw allows unescaped data to be injected into the admin interface, primarily through the API's "send/raw" method. This enables arbitrary HTML insertion, which could alter the page's appearance in a misleading manner or facilitate unauthorized JavaScript execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

An attacker with low privileges, such as an authenticated user with access to the "send/raw" API endpoint, can exploit this over the network without user interaction. Successful exploitation injects malicious HTML or JavaScript into the admin interface, potentially leading to cross-site scripting (XSS) attacks that steal session cookies, impersonate administrators, or manipulate interface elements to deceive users.

The official GitHub Security Advisory (GHSA-5f4r-5jpr-rfhc) confirms the issue was fixed in Postal version 3.3.5 and later, recommending immediate upgrades for affected installations. No additional workarounds are specified beyond applying the patch.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the…

more

API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS via HTML/JS injection in admin interface directly enables browser session hijacking, web session cookie theft for credential access, and subsequent privilege escalation/impersonation of admins.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28280Shared CWE-79
CVE-2026-41201Shared CWE-79
CVE-2026-28426Shared CWE-79
CVE-2026-34561Shared CWE-79
CVE-2025-25102Shared CWE-79
CVE-2026-32277Shared CWE-79
CVE-2025-23429Shared CWE-79
CVE-2025-26918Shared CWE-79
CVE-2026-46367Shared CWE-79
CVE-2026-27332Shared CWE-79

Affected Assets

postalserver
postal
≤ 3.3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information Output Filtering directly prevents HTML injection by encoding or sanitizing unescaped data before rendering in the admin interface.

prevent

Information Input Validation enforces sanitization or rejection of malicious HTML/JS in API inputs like send/raw to block injection at the source.

prevent

Flaw Remediation requires timely patching of vulnerabilities like CVE-2026-25529, as fixed in Postal 3.3.5, to eliminate the injection flaw.

References