Home / Vulnerability Intelligence / CVE-2026-25529

CVE-2026-25529 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 12, 2026

Postal - Stored XSS

Published: March 12, 2026Updated: March 12, 2026Remote Exploitable

Overview

Postal < 3.3.5 contains a stored XSS caused by unescaped data inclusion via the API's send/raw method in the admin interface, letting attackers execute arbitrary JavaScript, exploit requires API access.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript in the admin interface, potentially leading to session hijacking or unauthorized actions.

Mitigation

Upgrade to version 3.3.5 or later.

References

https://github.com/postalserver/postal/security/advisories/GHSA-5f4r-5jpr-rfhc

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 12, 2026

🟠 CVE-2026-25529 - High (8.1) Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25529/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-25529
Severity: High
CVSS Score: 8.1
Type: stored_xss
Status: unconfirmed
EPSS: 3.2%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

3.2%Probability of exploitation in the next 30 days