HTML Injection Vulnerability in Mailgen Node.js Package
CVE-2025-62366

2.9LOW

Key Information:

Vendor: Eladnava
Status: Mailgen
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-62366?

The Mailgen Node.js package, designed for creating responsive HTML emails, is susceptible to an HTML injection vulnerability in its generatePlaintext method. When user-generated content includes encoded HTML entities, the function fails to strip these entities, leading to unintentional execution of injected JavaScript during rendering. This vulnerability poses a significant risk, especially when the plaintext output is subsequently displayed as HTML. Users of Mailgen versions prior to 2.0.31 are strongly encouraged to upgrade as the newer version contains patches to mitigate this risk. No known workarounds are available.

Affected Version(s)

mailgen < 2.0.31

References

https://github.com/eladnava/mailgen/security/advisories/G...

x_refsource_CONFIRM

https://github.com/eladnava/mailgen/commit/7279a983481d05...

x_refsource_MISC

CVSS V4

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Oct 10, 2025

JSON

Eladnava

What is CVE-2025-62366?

Affected Version(s)

References

CVSS V4

Timeline