CVE-2026-26266 Overview
A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client, a privacy-first password manager with built-in email aliasing functionality. The vulnerability exists in versions 0.25.3 and lower, where HTML email content is rendered in an iframe using srcdoc without proper origin isolation or sanitization.
When viewing received emails on an alias, the application renders HTML content directly without applying sanitization or sandboxing. An attacker can exploit this by sending a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application, potentially enabling session hijacking, credential theft, or other malicious actions.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated user sessions, potentially compromising stored passwords and email aliases.
Affected Products
- AliasVault Web Client versions 0.25.3 and lower
- AliasVault Browser Extension (email viewing component)
- All deployments using the vulnerable email rendering functionality
Discovery Timeline
- 2026-03-03 - CVE-2026-26266 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-26266
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) stems from insufficient input sanitization in AliasVault's email rendering component. The application uses an iframe with the srcdoc attribute to display HTML email content, but fails to implement proper security controls. Without origin isolation or content sanitization, any JavaScript embedded in incoming emails executes within the application's security context.
The attack requires user interaction—specifically, the victim must view the malicious email within the AliasVault web client. Once triggered, the attacker's script runs with full access to the user's session, enabling theft of sensitive data including stored credentials and email alias configurations.
Root Cause
The root cause lies in the email rendering component's implementation in EmailDetails.tsx. The original code passed email HTML content through a minimal conversion function (ConversionUtility.convertAnchorTagsToOpenInNewTab) without comprehensive sanitization. Additionally, the iframe element lacked the sandbox attribute, which would normally restrict script execution and other potentially dangerous behaviors.
The vulnerable pattern allowed arbitrary HTML and JavaScript to be rendered in the same origin as the main application, violating the principle of least privilege for untrusted email content.
Attack Vector
The attack is network-based and requires the attacker to craft and send a malicious email to a target's AliasVault email alias. The attack flow is:
- Attacker composes an email containing malicious JavaScript (e.g., within <script> tags or event handlers)
- Email is sent to victim's AliasVault alias address
- Victim logs into AliasVault web client and views the email
- Malicious script executes in the application's origin context
- Attacker can exfiltrate session tokens, stored passwords, or perform actions as the victim
<div className="bg-white mt-4">
{email.messageHtml ? (
<iframe
- srcDoc={ConversionUtility.convertAnchorTagsToOpenInNewTab(email.messageHtml)}
+ srcDoc={ConversionUtility.sanitizeAndPrepareEmailHtml(email.messageHtml)}
className="w-full min-h-[500px] border-0"
title={t('emails.emailContent')}
+ sandbox="allow-popups allow-popups-to-escape-sandbox"
/>
) : (
<pre className="whitespace-pre-wrap text-gray-800 p-3">
Source: GitHub Commit Update
The fix introduces the DOMPurify library for comprehensive HTML sanitization:
+import DOMPurify from 'dompurify';
+
+/**
+ * DOMPurify configuration for email viewing.
+ * Allows safe HTML elements for email display while blocking XSS vectors.
+ */
+const EMAIL_SANITIZER_CONFIG = {
+ ALLOWED_TAGS: [
+ 'div', 'span', 'p', 'br', 'hr',
+ 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+ 'ul', 'ol', 'li',
+ 'table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td',
+ 'a', 'img',
+ 'b', 'i', 'u', 's', 'strike', 'strong', 'em', 'small', 'sub', 'sup',
+ 'blockquote', 'pre', 'code',
+ 'font', 'center'
+ ],
+ ALLOWED_ATTR: [
+ 'style', 'class', 'id',
+ 'width', 'height', 'align', 'valign',
+ 'bgcolor', 'color', 'border',
+ 'cellpadding', 'cellspacing', 'colspan', 'rowspan',
+ 'face', 'size',
+ 'href', 'target', 'rel',
+ 'src', 'alt', 'title'
+ ],
+ ALLOW_DATA_ATTR: false,
+ ADD_ATTR: ['target'],
+ FORBID_TAGS: ['script', 'object', 'embed', 'iframe', 'frame', 'frameset',
+ 'form', 'input', 'button', 'textarea', 'select', 'option',
Source: GitHub Commit Update
Detection Methods for CVE-2026-26266
Indicators of Compromise
- Emails containing <script> tags or JavaScript event handlers (e.g., onerror, onload, onclick)
- Unexpected outbound requests from the AliasVault web application domain to external servers
- Session token exposure in network logs or access from unexpected IP addresses
- User reports of unexpected behavior when viewing emails
Detection Strategies
- Implement Content Security Policy (CSP) violation logging to detect inline script execution attempts
- Monitor web application firewall (WAF) logs for requests containing encoded JavaScript payloads
- Review email gateway logs for messages with suspicious HTML content patterns
- Deploy browser-based XSS detection tools or security extensions for testing
Monitoring Recommendations
- Enable detailed logging for the email rendering component to capture rendering errors
- Set up alerts for unusual JavaScript execution patterns in client-side monitoring tools
- Monitor for DOM mutations that inject script elements into the email viewer iframe
- Track session token usage patterns to identify potential token theft scenarios
How to Mitigate CVE-2026-26266
Immediate Actions Required
- Upgrade AliasVault to version 0.26.0 or later immediately
- Review email viewing logs for any suspicious activity prior to patching
- Consider forcing re-authentication for all active sessions after the upgrade
- Notify users about the vulnerability and recommend password changes if compromise is suspected
Patch Information
AliasVault has released version 0.26.0 which addresses this vulnerability by implementing comprehensive HTML sanitization using DOMPurify and adding the sandbox attribute to email rendering iframes. The patch is available through the official GitHub release.
For detailed technical information about the fix, refer to the GitHub Security Advisory GHSA-f65p-p65r-g53q and the commit implementing the security patch.
Workarounds
- Disable HTML email rendering and view emails in plain text mode only until patching is possible
- Implement a reverse proxy or WAF rule to strip JavaScript from email content before delivery
- Block external image loading in emails to reduce attack surface for exfiltration
- Consider temporarily restricting email viewing functionality to trusted senders only
# Example: Restrict iframe capabilities via CSP header (temporary mitigation)
# Add to web server configuration or application response headers
Content-Security-Policy: frame-src 'none'; script-src 'self';
# For nginx configuration
add_header Content-Security-Policy "frame-src 'none'; script-src 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
