CVE-2026-35460 | THREATINT

Description

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-07 | Updated 2026-04-07 | Assigner GitHub_M

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 26.4.0

affected

References

github.com/.../papra/security/advisories/GHSA-6f8x-2rc9-vgh4 exploit

github.com/.../papra/security/advisories/GHSA-6f8x-2rc9-vgh4

cve.org (CVE-2026-35460)

nvd.nist.gov (CVE-2026-35460)

Download JSON