CVE-2025-59526 LOW

CVE-2025-59526: Mailgen: HTML injection vulnerability in plaintext e-mails

Vendor Eladnava
Product mailgen
Weakness CWE-79 · XSS
Published September 22, 2025
Last update September 22, 2025
View on NVD All CVEs

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:U

What the vulnerability does

01Description

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Prior to version 2.0.30, there is an HTML injection vulnerability in plaintext e-mails generated by Mailgen. Projects are affected if the Mailgen.generatePlaintext(email) method is used and given user-generated content. This vulnerability has been patched in version 2.0.30. A workaround involves stripping all HTML tags before passing any content into Mailgen.generatePlaintext(email).

Key dates

02Disclosure timeline

September 22, 2025 CVE published
September 22, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-32573 WordPress WP-Lister Lite for eBay plugin <=3.5.11 - Cross Site Scripting (XSS) vulnerability CVE-2025-53351 WordPress Fidelo Snippet plugin <= 1.12 - Cross Site Scripting (XSS) vulnerability CVE-2023-0308 Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq CVE-2022-2040 Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL CVE-2026-7462 VatanSMS WP SMS <= 1.01 - Reflected Cross-Site Scripting via 'page' Parameter