CVE-2026-26266

Name of the Vulnerable Software and Affected Versions AliasVault versions 0.25.3 and lower

Description AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) issue exists in the email rendering feature of the AliasVault Web Client. When viewing received emails on an alias, the HTML content is rendered in an iframe using the srcdoc attribute, which lacks origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When a victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. The vulnerability is triggered when viewing emails containing malicious JavaScript code. The vulnerable component renders HTML content within an iframe using srcdoc.

Recommendations Update to version 0.26.0 or later.