Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-26266 — AI Deep Analysis Summary

CVSS 9.3 · Critical

Q1What is this vulnerability? (Essence + Consequences)

🚨 **Essence**: AliasVault suffers from a Stored XSS vulnerability. 📉 **Consequences**: Attackers can inject malicious scripts via email rendering.…

Q2Root Cause? (CWE/Flaw)

🛡️ **Root Cause**: CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw lies in how HTML content is rendered inside an iframe using `srcdoc`.…

Q3Who is affected? (Versions/Components)

🎯 **Affected**: AliasVault versions **0.25.3 and earlier**. Specifically, the email rendering component is vulnerable. Ensure you are not running legacy builds.

Q4What can hackers do? (Privileges/Data)

💀 **Attacker Capabilities**: Full Stored XSS impact. Hackers can steal cookies, hijack sessions, and perform actions on behalf of the victim. High impact on Confidentiality (C:H) and Integrity (I:H).

Q5Is exploitation threshold high? (Auth/Config)

⚖️ **Exploitation Threshold**: Medium. CVSS indicates **UI:R** (User Interaction Required). The victim likely needs to view the malicious email/content.…

Q6Is there a public Exp? (PoC/Wild Exploitation)

📦 **Public Exploit**: No specific PoC code is listed in the data. However, the vulnerability is confirmed via GitHub Advisory (GHSA-f65p-p65r-g53q). Theoretical exploitation is straightforward for XSS.

Q7How to self-check? (Features/Scanning)

🔍 **Self-Check**: Scan for AliasVault instances. Check version numbers against **0.25.3**. Look for email features rendering HTML in iframes. Use DAST tools to test for XSS in email input fields.

Q8Is it fixed officially? (Patch/Mitigation)

✅ **Official Fix**: Yes. Patched in **Version 0.26.0**. See the GitHub release notes and commit `382e2e96fa502891638a48404f6d82dc972ab481` for details.

Q9What if no patch? (Workaround)

🚧 **No Patch Workaround**: Isolate the email rendering feature. Disable HTML rendering in emails if possible. Implement strict Content Security Policy (CSP) headers to mitigate script execution in iframes.

Q10Is it urgent? (Priority Suggestion)

🔥 **Urgency**: **HIGH**. CVSS Score implies High impact. Stored XSS is dangerous. Update to v0.26.0 immediately. Do not ignore this if you are running older versions.