| CVSS 3.1: | 5.4
(Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
| ||||||||||||||||
| Software: | Apache Answer | ||||||||||||||||
| Published: | 09.06.2026 | ||||||||||||||||
| CVE: | CVE-2026-34033 ↗ | ||||||||||||||||
| Credits: | Reimar Fritz | ||||||||||||||||
| External Advisory: | Check out the external advisory ↗ |
Apache Answer is susceptible to an HTML content injection in emails, allowing any authenticated user to send arbitrary HTML content via email to users with enabled email notifications. Users may be targeted specifically with question tags or comments to their questions.
The viable parameters for this attack include the question title and the display name. An attack using the question title requires the target user to either have “All new questions” or have “All new questions for following tags” email notifications enabled. An attack using the display name requires the target user to have “Inbox notifications” email notifications enabled.
The display name is limited to 30 characters and the question title is limited to 150 characters by default.
Apache Answer is set up with the recommended Docker Compose:
version: "3"
services:
answer:
image: apache/answer
ports:
- '9080:80'
restart: unless-stopped
volumes:
- answer-data:/data
volumes:
answer-data:
To receive emails in the test environment a MailPit Docker Container is used and configured in the SMTP settings (http://example.com:9080/admin/smtp)
docker run -d --restart unless-stopped --name=mailpit -p 8025:8025 -p 1025:1025 axllent/mailpit
The following two approaches are viable, as described above.
The victim (user1) has enabled all email notifications: “Inbox notifications”, “All new questions” and “All new questions for following tags”.

The attacker (user2) has set a display name with HTML content (<30 characters, e.g. “LINK”)

The attacker creates a new question with HTML content in the question title. The victim receives an HTML mail with the rendered HTML content from the attacker’s question title.


The attacker, with a display name including HTML content, comments on a victims question or answer with arbitrary content. The victim receives an HTML email with the rendered HTML content from the attacker’s display name.


In unserem Hacking Cult Bootcamp durchläufst du in 4 Wochen einen strukturierten Security-Check. Von Grundlagenwissen, um zu prüfen, wo dein Team wirklich steht, bis hin zum konkreten Schwachstellen-Scan deiner Webanwendung. Und das komplett kostenlos!
Gerolfinger Str. 106
85049 Ingolstadt
+49 (841) 9937 3456
ops[LOESCH-MICH-SPAMSCHUTZ]@[LOESCH-MICH-AUCH]hackingcult.de