CVE-2026-57741 in SMTP Newsletter Plugininfo

Summary

by MITRE • 07/13/2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Stored XSS.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

This cross-site scripting vulnerability originates from inadequate input validation and sanitization within the AcyMailing newsletter platform's web page generation process. The flaw represents a classic stored xss vulnerability where malicious script code can be injected into the system and subsequently executed whenever affected pages are rendered for users. The vulnerability specifically impacts the SMTP newsletter functionality of AcyMailing, creating a persistent security risk that affects versions ranging from the initial release through version 10.11.0.

The technical implementation of this flaw occurs during the web page generation phase where user-supplied data is not properly neutralized before being incorporated into dynamic html content. This allows attackers to inject malicious javascript payloads through various input vectors such as email addresses, newsletter content fields, or configuration parameters that are then stored within the application's database. When legitimate users access pages containing this maliciously stored content, their browsers execute the embedded scripts within the context of the vulnerable web application, potentially compromising user sessions and enabling further attacks.

The operational impact of this vulnerability extends beyond simple script execution as it can facilitate session hijacking, credential theft, and unauthorized access to sensitive user data. Attackers can leverage this weakness to steal cookies, redirect users to malicious sites, or inject additional malware into the target environment. The stored nature of this vulnerability means that once exploited, the malicious code persists until manually removed from the database, creating a long-term security risk for all users who encounter the compromised content. This particular flaw aligns with CWE-79 which specifically addresses cross-site scripting vulnerabilities and represents a fundamental failure in input sanitization practices.

Organizations using affected AcyMailing versions face significant risks including potential data breaches, regulatory compliance violations, and reputational damage from successful exploitation attempts. The vulnerability creates an attack surface that can be leveraged by threat actors to gain unauthorized access to user accounts and potentially escalate privileges within the application environment. Mitigation strategies should prioritize immediate patching to version 10.11.1 or later where the stored xss vulnerability has been addressed through proper input sanitization and output encoding mechanisms.

Security teams should implement additional protective measures including web application firewalls, content security policies, and regular security assessments of the affected platform. The implementation of proper input validation frameworks and output encoding techniques aligns with recommended practices from the mitre attack framework, specifically addressing techniques related to command injection and credential access. Organizations must also conduct thorough vulnerability assessments to identify any other potential xss vectors within their email marketing infrastructure and ensure that all user-supplied content undergoes rigorous sanitization before being processed or displayed within web interfaces.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!