CVE-2026-25529
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2Tags
Description
Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.
Analysis
Postal SMTP server versions below 3.3.5 contain a stored cross-site scripting (XSS) vulnerability in the admin interface where the API's "send/raw" method fails to properly escape user-supplied data, allowing authenticated attackers to inject malicious HTML and JavaScript. An attacker with API access could manipulate the admin dashboard or execute unauthorized actions in the context of an administrator's session. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Postal instances in your environment and document their versions; restrict administrative interface access to trusted networks only. Within 7 days: Implement WAF rules to sanitize HTML input to the admin interface; establish monitoring for suspicious admin interface activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today