Vendor
A cross-site scripting (XSS) vulnerability exists in Novu due to incomplete sanitization of HTML attributes in email previews, allowing arbitrary JavaScript execution.