Strix
26.1K

CVE-2026-26266

MEDIUMCVSS 6.1/10EPSS 0.24%

Last modified

CVE-2026-26266 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. EPSS estimates a 0.24% chance of exploitation in the next 30 days.

Description

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.[

Metrics

CVSS 3.1
6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.24%

14.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
AliasvaultAliasvault< 0.26.0

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-26266?
AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.[
How severe is CVE-2026-26266?
CVE-2026-26266 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.24% probability of exploitation in the next 30 days.
How do I fix CVE-2026-26266?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-26266?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST