matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.
Affected versions of this package are vulnerable to Improper Input Validation. HTML injection is possible in notification emails regarding missed messages or expiring account. In the case of notifications for missed messages, an attacker can inject forged content into the email. However, the account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker.
matrix-synapse to version 1.27.0 or higher.