Vulnerability Description
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: [email protected]), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Papra | Papra | < 26.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4ExploitVendor Advisory
- https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4ExploitVendor Advisory
FAQ
What is CVE-2026-35460?
CVE-2026-35460 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. A...
How severe is CVE-2026-35460?
CVE-2026-35460 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35460?
Check the references section above for vendor advisories and patch information. Affected products include: Papra Papra.