CVE-2024-26151

Name of the Vulnerable Software and Affected Versions mjml versions 0.10.0 through 0.10.x mjml version 0.11.0 is not affected, as it contains the fix for this issue. However, versions prior to 0.10.0 are also not affected.

Description The issue affects users of the mjml-python library who insert untrusted data into mjml templates without strict checking. This allows an attacker to control the contents of email messages sent through the platform by injecting malicious data into an mjml template. The attacker must be able to control some data that is later injected into an mjml template, which is then sent out as an email to other users. User input like <script> would be rendered as <script> in the final HTML output.

Recommendations For versions 0.10.0 through 0.10.x, update to version 0.11.0 to resolve the issue. As a temporary workaround for affected versions, ensure that potentially untrusted user input does not contain any sequences that could be rendered as HTML.