Description
Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.
Published: 2026-03-12
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

Postal, the open source SMTP server, has a vulnerability that allows unescaped HTML to be injected in the admin message view. The issue arises when data passed through the API’s "send/raw" endpoint is rendered without proper sanitization, enabling an attacker to inject arbitrary HTML or JavaScript. This can modify the user interface in a misleading way or allow unauthorized script execution, representing a classic Cross‑Site Scripting flaw (CWE‑79).

Affected Systems

Postal server versions prior to 3.3.5 are affected. The vulnerability is present in all generally available releases of Postal via the postalserver:postal product line and has been fixed in version 3.3.5 and later.

Risk and Exploitability

The CVSS score of 8.1 marks this vulnerability as high severity. The EPSS score is reported as less than 1 %, indicating low current exploit prevalence, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires sending a crafted payload through the public "send/raw" API endpoint, and success would result in HTML injection into the administrative interface for users who view the affected message. The attack vector is inferred from the description, as explicit details are not provided in the data.

Generated by OpenCVE AI on March 19, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Postal to version 3.3.5 or newer

Generated by OpenCVE AI on March 19, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:postalserver:postal:*:*:*:*:*:*:*:*

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Postalserver
Postalserver postal
Vendors & Products Postalserver
Postalserver postal

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.
Title Postal has HTML injection / XSS in message view
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Postalserver Postal
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T17:57:37.553Z

Reserved: 2026-02-02T19:59:47.373Z

Link: CVE-2026-25529

cve-icon Vulnrichment

Updated: 2026-03-12T17:57:31.875Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T17:16:46.953

Modified: 2026-03-19T17:53:51.943

Link: CVE-2026-25529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:59Z

Weaknesses