CVE-2025-59526: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2025-59526 affects mailgen, a Node.js package that generates responsive HTML e-mails for sending transactional mail. The vulnerability was discovered and reported by Edoardo Ottavianelli (@edoardottt) and was disclosed on September 22, 2025. It specifically affects versions prior to 2.0.30 and involves an HTML injection vulnerability in plaintext e-mails generated by the package (GitHub Advisory, NVD).

The vulnerability is classified as an HTML injection issue (CWE-79: Improper Neutralization of Input During Web Page Generation) that occurs when using the Mailgen.generatePlaintext(email) method with user-generated content. The CVSS v4.0 score is 2.7 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:U (NVD).

Projects that use the Mailgen.generatePlaintext(email) method and pass user-generated content are affected by this vulnerability. The vulnerability could potentially allow HTML injection in plaintext emails, which might lead to security issues when processing or displaying the generated content (GitHub Advisory).

The vulnerability has been patched in version 2.0.30 of the mailgen package. For users who cannot immediately update, a workaround is available: strip all HTML tags before passing any content into Mailgen.generatePlaintext(email). The fix was implemented in commit 741a019, which modified the HTML tag stripping regex to handle multi-line content (GitHub Commit, GitHub Advisory).