CVE-2026-35460

Name of the Vulnerable Software and Affected Versions Papra versions prior to 26.4.0

Description Papra is a minimalistic document management and archiving platform. Prior to version 26.4.0, transactional email templates interpolate user.name directly into HTML without proper escaping or sanitization. An attacker registering with a display name containing HTML tags can inject those tags into the verification and password reset email bodies. Because emails originate from a legitimate domain (e.g., auth@mail.papra.app), this enables convincing phishing attacks that appear to come from official Papra notifications.

Recommendations Update to version 26.4.0 or later.