CVE-2026-35460 Overview
CVE-2026-35460 is a Cross-Site Scripting (XSS) vulnerability affecting Papra, a minimalistic document management and archiving platform. Prior to version 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g., auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications.
Critical Impact
Attackers can craft malicious HTML content in registration display names to inject arbitrary HTML into legitimate transactional emails, enabling sophisticated phishing attacks that abuse trusted email domains.
Affected Products
- Papra versions prior to 26.4.0
Discovery Timeline
- April 7, 2026 - CVE-2026-35460 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35460
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. In this case, the XSS manifests within email templates rather than web pages, creating an HTML injection vector in transactional emails.
The core issue lies in how Papra handles user-supplied display names when generating email content. The platform's email templating system directly interpolates the user.name field into the HTML body of verification and password reset emails without performing any HTML entity encoding or sanitization. This allows malicious HTML markup embedded in a user's display name to be rendered as actual HTML elements within the email body.
The attack is particularly dangerous because emails originate from Papra's legitimate mail servers and domains. Recipients have no technical means to distinguish between legitimate notifications and those containing injected malicious content, as all standard email authentication mechanisms (SPF, DKIM, DMARC) will pass validation.
Root Cause
The root cause is missing input sanitization in the email template rendering pipeline. When constructing transactional emails, the application directly embeds the user.name value without HTML-encoding special characters such as <, >, ", and &. This allows HTML tags present in the display name to be interpreted as markup rather than plain text.
Attack Vector
The attack is network-based and requires low privileges (only user registration). An attacker can exploit this vulnerability through the following steps:
- Register a new Papra account with a display name containing malicious HTML (e.g., <a href="https://attacker-site.com">Click here to verify</a>)
- The Papra system generates a verification email containing the attacker's display name
- The injected HTML renders in the email body, potentially displaying phishing links or misleading content
- If the attacker can trigger password reset emails for other users (through account enumeration or social engineering), they may be able to inject content into emails sent to victims
The vulnerability could be used to inject links to credential harvesting pages, embed misleading instructions, or include scripts in email clients that render JavaScript in HTML emails.
Detection Methods for CVE-2026-35460
Indicators of Compromise
- User accounts with display names containing HTML tags such as <a>, <script>, <img>, or <iframe>
- Registration attempts with unusually long display names containing encoded HTML entities
- Reported phishing emails that appear to originate from legitimate Papra email addresses
- User complaints about suspicious content in verification or password reset emails
Detection Strategies
- Implement input validation logging to flag registration attempts containing HTML special characters in display names
- Monitor for user accounts where the display name contains pattern matches for HTML tags
- Review email bounce logs for unusual patterns that might indicate injection testing
- Analyze authentication logs for rapid account creation that may indicate automated exploitation attempts
Monitoring Recommendations
- Enable detailed logging for user registration and profile update events
- Set up alerts for display names containing characters commonly used in HTML injection (<, >, ", ')
- Monitor outbound email content for unexpected HTML elements using email gateway inspection tools
- Review user-reported phishing incidents for patterns indicating email template injection
How to Mitigate CVE-2026-35460
Immediate Actions Required
- Upgrade Papra to version 26.4.0 or later immediately
- Audit existing user accounts for display names containing HTML markup
- Sanitize or reset any user display names found to contain HTML tags
- Review recent transactional emails for evidence of exploitation
Patch Information
This vulnerability is fixed in Papra version 26.4.0. The fix implements proper HTML entity encoding for user-supplied data interpolated into email templates. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, implement input validation at the registration layer to reject display names containing HTML special characters
- Configure a Web Application Firewall (WAF) rule to block registration requests where the display name field contains HTML tags
- Temporarily disable user self-registration until the patch can be applied
- Switch transactional emails to plain text format to prevent HTML rendering
# Example: Sanitize existing display names in database (adjust for your database)
# This removes HTML tags from user display names as a temporary measure
# Always backup your database before running update queries
# PostgreSQL example:
psql -d papra_db -c "UPDATE users SET display_name = regexp_replace(display_name, '<[^>]+>', '', 'g') WHERE display_name ~ '<[^>]+>';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
