The XSS inbox variable vulnerability allows malicious code to be executed within an inbox notification when the message is opened if the code is included as part of a data variable. This contrasts with directly placing the same code in the inbox template, which renders the code without executing it.

A customer reported the issue and demonstrated using an iframe with a JavaScript alert payload. To reproduce the issue, you must create an inbox template, reference a variable in the template's body, send a data payload containing the malicious code, and then open the inbox message where the code execution occurs. The issue was with our [Inbox](https://github.com/trycourier/courier-react/tree/main/packages/react-inbox) and [Components](https://github.com/trycourier/courier-react/tree/main/packages/components#readme) implementations on version 6.2.1. The release does not fix customers who have implemented their Inbox on top of our APIs; they will need to implement a similar XSS fix if affected. Please reach out to Courier Support for help.