CVE-2025-27102

Name of the Vulnerable Software and Affected Versions Agate versions prior to 3.3.0

Description The issue allows arbitrary HTML code to be injected into a user's first and last name when registering for an account. This HTML is then rendered in an email sent to administrative users, posing a significant risk for phishing attacks, as the email appears to come from a trustworthy source. Administrative users are at risk, as they can be targeted by unauthenticated users.

Recommendations For versions prior to 3.3.0, update to version 3.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the email functionality or implementing additional validation on user input to minimize the risk of exploitation.