mailparser’s textToHtml() function fails to sanitize URLs correctly, allowing an attacker to inject malicious JavaScript through specially crafted email content. This cross‑site scripting flaw can execute arbitrary scripts in any browser that renders the parsed email, potentially exposing session data, credentials, or other sensitive information. The weakness is a classic client‑side XSS, identified by CWE‑79. The attack vector is not explicitly stated but inferred from the description that an attacker can supply malicious URLs in email content.

The vulnerability affects the Nodemailer mailparser JavaScript library, version 3.8.x and earlier, bundled with Node.js applications. Users running any version of mailparser older than 3.9.3 are exposed, including deployments that parse inbound email into HTML for display in web interfaces. Affected systems typically include Node.js servers that process marketing or support emails.

With a CVSS base score of 5.1, the flaw has a medium severity and an EPSS of less than 1 %, meaning it is low probability but possible to exploit if an attacker can supply crafted email content to a susceptible application. Since the flaw is client‑side, exploitation requires a victim to view the rendered email in a browser that trusts the output; the vulnerability is not in the mailparser code itself but in how its output is consumed. The flaw is not currently listed in CISA’s Known Exploited Vulnerabilities catalog, but attackers could still target applications that fail to sanitize mailparser output. The requirement that a victim views the rendered email is inferred from the client‑side nature of the flaw.