CVE-2026-35460 - Vulnerability Details

- Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name

Description

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.

Published: 2026-04-07

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Papra renders the user’s display name directly into the body of its promotional and password‑reset emails without escaping any markup. The injected content appears within the HTML of the message, effectively turning a harmless announcement into a malicious link or form. The vulnerability represents a classic web‑based injection flaw (CWE‑79 and CWE‑80), allowing an attacker to craft HTML tags that are sent to real users from an email address that looks legitimate.

Affected Systems

The Papra document management and archiving platform is affected in all releases older than version 26.4.0. The vulnerability targets the project identified as papra-hq:papra and manifests when a user registers or changes their profile name. Anyone running an unpatched copy of the software, regardless of deployment size, is exposed.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and no EPSS data is available; KeV does not list this issue. The likely attack vector is through the public registration flow, as an attacker can create an account with a crafted display name. No additional privileges or configuration changes are required; once the account exists, each verification or reset email will carry the attacker’s embedded HTML, making the exploitation trivial and easily repeatable for a malicious actor.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

papra-hq

papra

affected

Version	Status	Constraints
`< 26.4.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:papra:papra:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Papra-hq

Papra

100%

Version	Status	Scheme	Platform
`[0,26.4.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Papra to version 26.4.0 or later to apply the official patch.
Verify that user display names are escaped before inclusion in email templates.
If an immediate upgrade is not possible, restrict display names to alphanumeric characters or strip HTML tags during input processing.
Monitor outgoing emails for unexpected HTML content and educate users about phishing indicators.

Generated by OpenCVE AI on April 7, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4

History

Fri, 24 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Papra Papra papra
CPEs		cpe:2.3:a:papra:papra::::::::
Vendors & Products		Papra Papra papra

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Papra-hq Papra-hq papra
Vendors & Products		Papra-hq Papra-hq papra

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.
Title		Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name
Weaknesses		CWE-79 CWE-80
References		https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Papra Papra

Papra-hq Papra

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T14:26:52.943Z

Updated: 2026-04-07T15:59:07.465Z

Reserved: 2026-04-02T19:25:52.193Z

Link: CVE-2026-35460

Vulnrichment

Updated: 2026-04-07T15:13:21.174Z

NVD

Status : Analyzed

Published: 2026-04-07T15:17:43.887

Modified: 2026-04-24T15:31:18.307

Link: CVE-2026-35460

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:48:50Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object