Apache Hupa is vulnerable to a cross-site scripting (XSS) attack. The library does not properly sanitize its text, allowing a malicious user to inject arbitrary Javascript through an email that is executed when opened or when displayed in a list of messages.