CVE-2026-26266 - Vulnerability Analysis
CriticalCVSS: 9.3Last Updated: March 4, 2026
AliasVault Web Client - Stored XSS
Overview
AliasVault Web Client <= 0.25.3 contains a stored XSS caused by unsanitized HTML email content rendered in an iframe using srcdoc without origin isolation, letting attackers execute scripts in the application origin when victims view crafted emails.
Severity & Score
Impact
Attackers can execute arbitrary scripts in the victim's browser, potentially stealing data or performing actions on behalf of the user.
Mitigation
Update to version 0.26.0 or later.
References
Social Media Activity(1 post)
š“ CVE-2026-26266 - Critical (9.3) AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received ... š https://www.thehackerwire.com/vulnerability/CVE-2026-26266/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-26266
- Severity
- Critical
- CVSS Score
- 9.3
- Type
- stored_xss
- Status
- unconfirmed
- EPSS
- 3.1%
- Social Posts
- 1
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N