HTML Injection - real Aptabase emails in aptabase/aptabase


Reported on

Aug 5th 2023


Due to lack of validation Name field during registration, bad actor can send emails with HTML injected code to the victims.

Proof of Concept

Payload example: J<a href="">ameees Repro steps: Go to and for field 'Name' use payload with HTML. Open email from Aptabase titled 'Confirm your registration', see valid payload. Hover by mouse - see injected link. "Hi Jameees" part of message - contains payload.

For Repro steps please use own emails, but please notice that bad actors can make this with victims email addresses (which not own).

Kind regards,


Bad actors can use this to phishing actions for example. Email is really send from Aptabase, but bad actors can add there HTML code injected (content spoofing).

Proposed remediation, solution: Sanitize/purify mentioned input data from users - don't allow to this.

Additional information: Server-Side Injection - Content Spoofing - Email HTML Injection -

We are processing your report and will contact the aptabase team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a a month ago
We have contacted a member of the aptabase team and are waiting to hear back a month ago
aptabase/aptabase maintainer validated this vulnerability a month ago
cod3rbm has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
aptabase/aptabase maintainer marked this as fixed in N/A with commit 709eb5 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
aptabase/aptabase maintainer published this vulnerability a month ago
a month ago


Hi @Maintainer thank you for message, quick action and your time here. I appreciate this. ✨Professional & responsible approach! 🎉 Have a good day, Kind regards,

to join this conversation