How to fix CVE-2026-26266?

Within 24 hours: Identify all instances of AliasVault Web Client in your environment and document versions in use. Within 7 days: Apply the available vendor patch to all AliasVault deployments and verify successful patching across all systems. Within 30 days: Conduct security audit of AliasVault usage patterns, review access logs for suspicious activity during the vulnerability window, and reset credentials for high-privilege accounts that may have been exposed.

Is Aliasvault affected by CVE-2026-26266?

A critical stored XSS vulnerability in AliasVault Web Client (v0.25.3 and below) allows attackers to inject malicious code through the email rendering feature, potentially compromising user credentials and sensitive data stored in password vaults.

CVE-2026-26266

CRITICAL

2026-03-03 [email protected]

9.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

Patch Released

Mar 05, 2026 - 21:22 nvd

Patch available

CVE Published

Mar 03, 2026 - 23:15 nvd

CRITICAL 9.3

Description

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.[

Analysis

Stored XSS in AliasVault password manager. Patch available.

Remediation

Within 24 hours: Identify all instances of AliasVault Web Client in your environment and document versions in use. Within 7 days: Apply the available vendor patch to all AliasVault deployments and verify successful patching across all systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

CVE-2026-26266 vulnerability details – vuln.today

Back

CVE-2026-26266

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-26266

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code