Cross-Site Scripting in Papra Document Management System
CVE-2026-35460

4.3MEDIUM

Key Information:

Vendor: Papra-hq
Status: Papra
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35460?

Papra, a minimalistic document management and archiving platform, has a vulnerability that affects its handling of user input in transactional email templates. Prior to version 26.4.0, Papra interpolated user.display_name directly into the HTML of verification and password reset emails without proper escaping or sanitization. This flaw allows attackers to register with a display name containing HTML tags, enabling the injection of these tags into emails. Consequently, users may receive seemingly legitimate emails from official Papra domains, resulting in potential phishing attacks that can deceive recipients into taking harmful actions.

Affected Version(s)

papra < 26.4.0

References

https://github.com/papra-hq/papra/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35460 Data

JSON

Papra-hq

What is CVE-2026-35460?

Affected Version(s)

References

CVSS V3.1

Timeline