Home / Vulnerability Intelligence / CVE-2026-26266

CVE-2026-26266 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: March 3, 2026

AliasVault Web Client - Stored XSS

Published: March 3, 2026Updated: March 3, 2026Remote Exploitable

Overview

AliasVault Web Client <= 0.25.3 contains a stored XSS caused by unsanitized HTML email content rendered in an iframe using srcdoc without origin isolation, letting attackers execute scripts in the application origin when victims view crafted emails.

Severity & Score

Severity: Critical

CVSS Score: 9.3

Impact

Attackers can execute arbitrary scripts in the victim's browser, potentially stealing data or performing actions on behalf of the user.

Mitigation

Update to version 0.26.0 or later.

References

https://github.com/aliasvault/aliasvault/commit/382e2e96fa502891638a48404f6d82dc972ab481
https://github.com/aliasvault/aliasvault/releases/tag/0.26.0
https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-26266
Severity: Critical
CVSS Score: 9.3
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N