Description
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote “ to the URL with embedded malicious JavaScript code.
Recommendation
Update the mailparser package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.9.3
- Patched version(s): 3.9.3
References
Related Issues
- Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler - CVE-2026-1721
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting - CVE-2026-0824
- Tags:
- npm
- mailparser
Anything's wrong? Let us know Last updated on March 04, 2026