CVE-2025-59526

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions mailgen versions prior to 2.0.30

Description mailgen is a Node.js package used to generate responsive HTML e-mails. A HTML injection flaw exists in plaintext e-mails generated by the software when using the Mailgen.generatePlaintext(email) method with user-provided content. The issue allows for potential injection of HTML code into generated e-mails. A workaround involves removing all HTML tags from content before using it with the Mailgen.generatePlaintext(email) function.

Recommendations Update to version 2.0.30 or later. Strip all HTML tags from content before passing it to the Mailgen.generatePlaintext(email) function.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2025-16482

CVE-2025-59526

GHSA-J2XJ-H7W5-R7VP

Affected Products

Mailgen

CVE-2025-59526

Weakness Enumeration

Related Identifiers

Affected Products

References · 12