CVE-2026-25529 — Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescape — CVE Database · The Intelligence Room