Skip to content

VRT Category Suggestion - Self Email HTML Injection #497

New issue
New issue
Open
Open
VRT Category Suggestion - Self Email HTML Injection#497
Labels
enhancement
@binbashsu-bugcrowd

Description

@binbashsu-bugcrowd
binbashsu-bugcrowd
opened on Mar 4, 2026

P5: Server-Side Injection > Content Spoofing > Self Email HTML Injection

Attack scenario:

  1. A malicious actor authenticates onto their account
  2. Interacting with a feature within the application allows to send emails, of which the contents can be controlled and it has been identified that HTML can be injected into the contents of said email
  3. The malicious actor does not have the ability to control who this email is sent to, but instead the email is always sent to the authenticated account

This behaviour would be considered as a Self attack, as the injected email is only sent to the authenticated user and, in order to exploit, would require prior access to a victims account which at this stage would be pointless.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions