Description
AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.[
Published: 2026-03-03
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

A stored Cross‑Site Scripting vulnerability has been found in the AliasVault web client. The flaw resides in the manner by which received email messages that contain HTML are displayed. The application places the entire HTML body inside an iframe via the srcdoc attribute, and this rendering occurs without any sanitization or origin isolation. As a result, a malicious script contained in an email will run under the same origin as the AliasVault web client when the recipient opens the message. Because the code executes with the privileges of the application and can access user data stored in cookies or local storage, an attacker could steal credentials, inject malware, or otherwise manipulate the victim’s session. The weakness is classified as CWE‑79.

Affected Systems

The affected product is AliasVault email aliasing and password manager, in all releases up through 0.25.3. The problem exists in the web client that handles email rendering. Users running any 0.25.3 or earlier version are susceptible. AliasVault is listed under the aliasvault vendor name in the CNA data. Version information that mitigates the issue starts at 0.26.0 as referenced by the release notes.

Risk and Exploitability

The CVSS score is 9.3, marking it as critical. The EPSS score is less than 1 %, indicating that real‑world exploitation is currently unlikely but possible. The vulnerability is not yet in the CISA KEV catalog. Attackers can exploit it by crafting an email with malicious JavaScript and sending it to any AliasVault alias. The victim must be logged into the web client to view the message for the exploit to succeed. Since the script runs with the same origin as AliasVault, it can bypass same‑origin policy restrictions and read session cookies or local storage, providing a wide attack surface.

Generated by OpenCVE AI on April 16, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AliasVault to version 0.26.0 or later, which removes the insecure rendering approach and adds proper sanitization.
  • If an immediate upgrade is not possible, disable HTML email rendering in the web client or enforce a content security policy that blocks inline scripts in the email view.
  • Scan inbound emails for script tags or iframe elements and strip or quarantine those messages before they are displayed to users.

Generated by OpenCVE AI on April 16, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:aliasvault:aliasvault:*:*:*:*:*:*:*:*

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Aliasvault
Aliasvault aliasvault
Vendors & Products Aliasvault
Aliasvault aliasvault

Tue, 03 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.[
Title AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Aliasvault Aliasvault
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T16:52:03.957Z

Reserved: 2026-02-12T17:10:53.412Z

Link: CVE-2026-26266

cve-icon Vulnrichment

Updated: 2026-03-04T16:50:47.685Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:54.877

Modified: 2026-03-05T21:22:01.810

Link: CVE-2026-26266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses