Advisory Details

HTML Content Injection in E-Mails

CVSS 3.1:5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack VectorN/A
Attack ComplexityN/A
Privileges RequiredN/A
User InteractionN/A
ScopeN/A
ConfidentialityN/A
IntegrityN/A
AvailabilityN/A
Software:Apache Answer
Published:09.06.2026
CVE:CVE-2026-34033 ↗
Credits:Reimar Fritz
External Advisory:Check out the external advisory ↗

Summary

Apache Answer is susceptible to an HTML content injection in emails, allowing any authenticated user to send arbitrary HTML content via email to users with enabled email notifications. Users may be targeted specifically with question tags or comments to their questions.

The viable parameters for this attack include the question title and the display name. An attack using the question title requires the target user to either have “All new questions” or have “All new questions for following tags” email notifications enabled. An attack using the display name requires the target user to have “Inbox notifications” email notifications enabled.

The display name is limited to 30 characters and the question title is limited to 150 characters by default.

PoC

Apache Answer is set up with the recommended Docker Compose:

version: "3"
services:
answer:
image: apache/answer
ports:
- '9080:80'
restart: unless-stopped
volumes:
- answer-data:/data

volumes:
answer-data:

To receive emails in the test environment a MailPit Docker Container is used and configured in the SMTP settings (http://example.com:9080/admin/smtp)

docker run -d --restart unless-stopped --name=mailpit -p 8025:8025 -p 1025:1025 axllent/mailpit

The following two approaches are viable, as described above.

The victim (user1) has enabled all email notifications: “Inbox notifications”, “All new questions” and “All new questions for following tags”.

Email notifications configuration
Email notifications configuration

The attacker (user2) has set a display name with HTML content (<30 characters, e.g. “LINK”)

HTML content in the display name
HTML content in the display name

Question title

The attacker creates a new question with HTML content in the question title. The victim receives an HTML mail with the rendered HTML content from the attacker’s question title.

Create question with HTML content in the title
Create question with HTML content in the title

HTML content in the received email
HTML content in the received email

Question comment

The attacker, with a display name including HTML content, comments on a victims question or answer with arbitrary content. The victim receives an HTML email with the rendered HTML content from the attacker’s display name.

Comment as a user with HTML content in the display name
Comment as a user with HTML content in the display name

HTML content in the received email
HTML content in the received email

Könnte deine Anwendung auch Lücken haben?

In unserem Hacking Cult Bootcamp durchläufst du in 4 Wochen einen strukturierten Security-Check. Von Grundlagenwissen, um zu prüfen, wo dein Team wirklich steht, bis hin zum konkreten Schwachstellen-Scan deiner Webanwendung. Und das komplett kostenlos!

Melde dich!

Hacking Cult GmbH

Gerolfinger Str. 106
85049 Ingolstadt

+49 (841) 9937 3456
ops[LOESCH-MICH-SPAMSCHUTZ]@[LOESCH-MICH-AUCH]hackingcult.de

LinkedIn Unternehmensseite
Facebook Account
Hacking Cult Youtube Channel
Hacking Cult Instagram account