Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.
AnalysisAI
Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactional email templates by registering with a display name containing HTML tags, enabling convincing phishing attacks through legitimate Papra email domains. The vulnerability affects verification and password reset emails, which are sent from official Papra domains, making socially engineered attacks highly credible. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
This vulnerability is a stored cross-site scripting (XSS) vulnerability classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags). The root cause is the direct interpolation of the user.name field into HTML email template bodies without HTML entity encoding or output escaping. When an attacker registers an account with a display name containing HTML tags (e.g., '<img src=x onerror="alert(1)">' or '<a href="https://attacker.com">click here</a>'), these tags are embedded into the email HTML structure. Email clients that render HTML (most modern clients) will interpret and execute these tags. Unlike reflected XSS, this is stored in the user profile and persists across every transactional email sent to that user or about that user. The attack surface is limited to authenticated registration, but the impact is significant because emails originating from legitimate Papra infrastructure (auth@mail.papra.app) bypass email security filters and trust mechanisms.
RemediationAI
Vendors and administrators must upgrade Papra to version 26.4.0 or later, which implements proper HTML entity encoding and output escaping for the user.name field in email templates. The primary remediation is a straightforward upgrade; no interim workarounds are documented. Organizations running Papra should prioritize this patch given the ease of exploitation and the trust relationship users have with legitimate Papra email addresses. Refer to the GitHub Security Advisory at https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4 for official guidance and change notes.
Server-Side Request Forgery (SSRF) in Papra document management platform prior to 26.4.0 allows authenticated users to r
Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19653