CVE-2026-26266: AliasVault XSS — Critical — Patch Now

Overview

A critical security vulnerability has been identified in the AliasVault web client. This flaw could allow an attacker to take control of a user’s password manager account by sending a specially crafted email.

Vulnerability Description

AliasVault is a password manager that includes a feature to create email aliases for privacy. A weakness was found in how the web client displays emails received at these aliases. When you view an email, its content is displayed within the application’s webpage. Due to a lack of proper security isolation, any malicious code hidden within a crafted email would not be contained. Instead, it would run with full access to your AliasVault web session, as if it were part of the application itself. This type of flaw is known as a Stored Cross-Site Scripting (XSS) vulnerability.

Impact

If exploited, this vulnerability has severe consequences. An attacker who knows your email alias could send you a malicious email. Simply opening that email within the AliasVault web client could allow the attacker to:

• Steal your session cookies and hijack your logged-in account.
• Access, export, or delete your stored passwords and sensitive data.
• Perform actions within your account, such as creating new aliases or changing settings, without your consent. Successful exploitation requires no interaction beyond viewing the email, making it a high-risk threat.

Affected Versions

This vulnerability affects AliasVault Web Client versions 0.25.3 and all earlier releases.

Remediation and Mitigation

The vendor has released a fix. Immediate action is required.

Primary Action: Update Immediately

• Upgrade to version 0.26.0 or later. This is the only complete solution. The update properly isolates email content, preventing malicious code from escaping and accessing your main application session.

Interim Mitigation (If Update is Delayed) If you cannot update immediately, exercise extreme caution:

• Avoid viewing emails from unknown senders within the AliasVault web interface. The attack is triggered upon viewing.
• Consider temporarily disabling the email alias feature if your workflow allows it, until the upgrade can be performed.

General Advice

• Ensure automatic updates are enabled for the AliasVault client where possible.
• Inform users within your organization about the importance of applying this security update promptly.

You should apply the patched version (0.26.0+) to all affected systems as a matter of high priority.