Low severityOSV Advisory· Published Sep 22, 2025· Updated Apr 15, 2026

CVE-2025-59526

Description

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Prior to version 2.0.30, there is an HTML injection vulnerability in plaintext e-mails generated by Mailgen. Projects are affected if the Mailgen.generatePlaintext(email) method is used and given user-generated content. This vulnerability has been patched in version 2.0.30. A workaround involves stripping all HTML tags before passing any content into Mailgen.generatePlaintext(email).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mailgen prior to 2.0.30 has an HTML injection vulnerability in plaintext e-mails when user-generated content is passed to generatePlaintext().

Vulnerability

Overview

Mailgen is a Node.js package that generates responsive HTML e-mails for transactional mail. Prior to version 2.0.30, the Mailgen.generatePlaintext(email) method contained an HTML injection vulnerability. The root cause is an insufficient regular expression used to strip HTML tags from the plaintext output. The regex / <.+?>/g fails to match tags that span multiple lines, allowing maliciously crafted, allowing an attacker to inject arbitrary HTML into the plaintext version of an e-mail [1][2][3].

Exploitation

A project is affected if it uses the Mailgen.generatePlaintext(email) method and passes user-generated content into the email object (e.g., in fields like intro, outro, or action.instructions). An attacker can supply content containing HTML tags that are not properly removed, such as a multi-line tag. No authentication or special network position is required beyond the ability to provide input that ends up in the plaintext generation process [2][3].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML into the plaintext e-mail output. This can lead to phishing attacks, content spoofing, or other client-side attacks when the plaintext e-mail is rendered in a mail client that interprets HTML. The severity is considered Low because the vulnerability is limited to the plaintext generation and requires user-generated content [2][3].

Mitigation

The vulnerability has been patched in version 2.0.30 via commit 741a019, which updates the regex to / <(.|\n)+?>/g to properly handle multi-line tags [4]. Users should upgrade to version 2.0.30 or later. As a workaround, developers can strip all HTML tags from user input before passing it to Mailgen.generatePlaintext(email) [2][3].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mailgennpm	< 2.0.30	2.0.30

Affected products

Eladnava/MailgenOSV2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <2.0.30

Patches

741a0190ddae

index.js: Fix HTML injection security issue in plaintext e-mails

https://github.com/eladnava/mailgenElad NavaSep 21, 2025via ghsa

commit

1 file changed · +1 −1

index.js+1 −1 modified

@@ -123,7 +123,7 @@ Mailgen.prototype.generatePlaintext = function (params) {
     }
 
     // Strip all HTML tags from plaintext output
-    output = output.replace(/<.+?>/g, '');
+    output = output.replace(/<(.|\n)+?>/g, '');
 
     // Decode HTML entities such as &copy;
     output = he.decode(output);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000