CVE-2026-35460 — Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. A — CVE Database · The Intelligence Room