CVE-2025-59526

Impact

An HTML injection vulnerability in plaintext e-mails generated by Mailgen has been discovered. Your project is affected if you make use of the Mailgen.generatePlaintext(email); method and pass in user-generated content. The issue has been discovered and reported by Edoardo Ottavianelli (@edoardottt).

Patches

The vulnerability has been patched in commit https://github.com/eladnava/mailgen/commit/741a0190ddae0f408b22ae3b5f0f4c3f5cf4f11d and released to npm in version 2.0.30.

Workarounds

Strip all HTML tags yourself before passing any content into Mailgen.generatePlaintext(email);.

Thanks to Edoardo Ottavianelli (@edoardottt) for discovering and reporting this vulnerability.

Published: Sep 22, 2025
Updated: Sep 24, 2025
CVE: CVE-2025-59526
GHSA: GHSA-j2xj-h7w5-r7vp
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mailgen	-	2.0.30

Vulnerability Database

CVE-2025-59526

Impact

Patches

Workarounds

Deep Security Visibility Without the Complexity