AliasVault Web Client is vulnerable to a critical stored cross-site scripting attack that enables unauthenticated attackers to execute malicious code in the context of a user's session.

The email rendering feature fails to properly sanitize HTML content or provide origin isolation when using the srcdoc attribute in iframes. An unauthenticated attacker can send a crafted email containing malicious JavaScript that executes when viewed by the victim.

This vulnerability carries a CVSS score of 9.3, signifying High/Critical severity. Successful exploitation allows for session hijacking, theft of sensitive password manager data, and unauthorized actions performed on behalf of the user. Because AliasVault is a privacy-focused tool, this flaw directly undermines the core security promise of the product.

Immediate Action: Administrators and users must upgrade the AliasVault Web Client to version 0.26.0 or higher immediately.

Proactive Monitoring: Monitor web application logs for suspicious script injection patterns or unusual client-side behavior reported by users.

Compensating Controls: Employ a Content Security Policy (CSP) to restrict the execution of unauthorized inline scripts and external resources within the web client.

Public Exploit Available: No

The ability to execute arbitrary scripts within a password management interface is a catastrophic security failure. Immediate migration to version 0.26.0 is mandatory to protect user credentials and maintain organizational privacy.