Description
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote “ to the URL with embedded malicious JavaScript code.
Recommendation
Update the mailparser package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.9.3
- Patched version(s): 3.9.3
References
Related Issues
- Svelte SSR vulnerable to cross-site scripting via spread attributes - CVE-2026-42599
- QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting - CVE-2026-0824
- Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler - CVE-2026-1721
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
You might also like:
- Tags:
- npm
- mailparser
Anything's wrong? Let us know Last updated on March 04, 2026