CVE-2026-25529

Name of the Vulnerable Software and Affected Versions Postal versions prior to 3.3.5

Description Postal is an open source SMTP server. Versions prior to 3.3.5 contain a HTML injection issue that allows unescaped data to be included in the administration interface. The primary method for adding unescaped data is through the send/raw method of the API endpoint /api/v1/send/raw. This could allow arbitrary HTML to be injected into the page, potentially modifying the page in a misleading way or enabling the execution of unauthorized javascript.

Recommendations Upgrade to Postal version 3.3.5 or later.