CVE-2025-62366

Name of the Vulnerable Software and Affected Versions mailgen versions through 2.0.30

Description mailgen is a Node.js package used to generate responsive HTML e-mails. Versions through 2.0.30 have an issue where the generatePlaintext function does not properly remove encoded HTML entities from user-supplied content. This can lead to the inclusion of active HTML, such as an img tag with an event handler, in the plaintext output. If this output is then rendered as HTML, it could allow the execution of attacker-controlled JavaScript. The function attempts to remove HTML tags, but encoded HTML entities bypass this process and are later decoded.

Recommendations Update to version 2.0.31 or later.