Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

DoorDash Business stored HTML injection email spoofing security flaw

Vulnerability
First reported
Last updated
Happening score
H score 15
1 unique sources, 1 articles

Summary

Hide ▲

A DoorDash for Business stored HTML injection flaw let attackers send official-branded emails from [email protected], creating a near-perfect phishing channel. The issue was patched in November 2025 after reportedly remaining open for more than 15 months. Although DoorDash said it did not expose user data or internal systems, the weakness still enabled highly convincing social engineering.

Related Happenings

DoorDash hit by network compromise

Incident
First: 14.11.2025 06:38 Last: 14.11.2025 06:38 Sources 1

About this happening: DoorDash disclosed a **cybersecurity incident** that exposed **user contact information** after an **unauthorized third party** gained access to account-linked data. The affected...

Open Happening

DoorDash user contact information leak

Data Leak
First: 14.11.2025 06:38 Last: 14.11.2025 06:38 Sources 1

About this happening: DoorDash disclosed that **user contact information** was taken in an **unauthorized access** incident identified on **October 25, 2025**, creating a risk of phishing and account-f...

Open Happening

Timeline

  1. 17.11.2025 18:32 2 articles · 6mo ago

    DoorDash Business stored HTML injection email spoofing security flaw

    Initial Disclosure

    The flaw began as a **stored HTML injection** issue in **DoorDash for Business** that was rendered inside a trusted email template. That let a free account generate branded mail from **[email protected]** and establish a credible phishing vector.

    Show sources
    Open in new tab