Novu has a XSS sanitization bypass
XSS sanitization is incomplete, some attributes are missing such as oncontentvisibilityautostatechange=. This allows for the email preview to render HTML that executes arbitrary JavaScript,
Advisories for Npm/Novu/Api package
2026