Skip to main content

Papra CVE-2026-35460

| EUVDEUVD-2026-19653 MEDIUM
Basic XSS (CWE-80)
2026-04-07 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.4.0
EUVD ID Assigned
Apr 07, 2026 - 15:00 euvd
EUVD-2026-19653
Analysis Generated
Apr 07, 2026 - 15:00 vuln.today
CVE Published
Apr 07, 2026 - 14:26 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.

AnalysisAI

Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactional email templates by registering with a display name containing HTML tags, enabling convincing phishing attacks through legitimate Papra email domains. The vulnerability affects verification and password reset emails, which are sent from official Papra domains, making socially engineered attacks highly credible. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability is a stored cross-site scripting (XSS) vulnerability classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags). The root cause is the direct interpolation of the user.name field into HTML email template bodies without HTML entity encoding or output escaping. When an attacker registers an account with a display name containing HTML tags (e.g., '<img src=x onerror="alert(1)">' or '<a href="https://attacker.com">click here</a>'), these tags are embedded into the email HTML structure. Email clients that render HTML (most modern clients) will interpret and execute these tags. Unlike reflected XSS, this is stored in the user profile and persists across every transactional email sent to that user or about that user. The attack surface is limited to authenticated registration, but the impact is significant because emails originating from legitimate Papra infrastructure (auth@mail.papra.app) bypass email security filters and trust mechanisms.

RemediationAI

Vendors and administrators must upgrade Papra to version 26.4.0 or later, which implements proper HTML entity encoding and output escaping for the user.name field in email templates. The primary remediation is a straightforward upgrade; no interim workarounds are documented. Organizations running Papra should prioritize this patch given the ease of exploitation and the trust relationship users have with legitimate Papra email addresses. Refer to the GitHub Security Advisory at https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4 for official guidance and change notes.

Share

CVE-2026-35460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy