Primary

Context

Postal HTML Injection Vulnerability in Admin Interface

Vulnerability

Patched

A HTML injection vulnerability has been identified in Postal versions prior to 3.3.5. This issue allows unescaped data to be injected into the admin interface, primarily through the API's 'send/raw' method. The vulnerability could be exploited to inject arbitrary HTML, potentially misleading users or enabling unauthorized execution of JavaScript.

Impact

Exploitation of this vulnerability could lead to HTML injection in the admin interface, allowing for the execution of unauthorized JavaScript.

Remediation

Users can upgrade to Postal version 3.3.5 or higher to address this vulnerability. If the legacy API is not used to deliver messages, exposure to this vulnerability is limited, as the SMTP server sanitizes '<' and '>' characters.

Added: Mar 12, 2026, 5:27 PM

Updated: Mar 12, 2026, 5:27 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.0

exploitability

5.4

remediation

8.3

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.0

exploitability

5.4

remediation

8.3

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Postal HTML Injection Vulnerability in Admin Interface

Vulnerability

Impact

Remediation

Affected Products

Postal

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating