SUSE CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

GHSA-R7C9-7PJQ-HMM8 Postorius is vulnerable to XSS

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

Cross-site Scripting (XSS)

Overview postorius is an A web user interface for GNU Mailman Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process of the message subject in the Held messages pop-up. An attacker can execute arbitrary scripts in the context of the user's browser b...

UBUNTU-CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

CVE-2026-44742

CVE-2026-44742 affects Postorius up to version 1.3.13. The issue is that the message subject is not HTML-escaped when rendered in the Held messages pop-up, enabling HTML-injection-like rendering as noted “exploited in the wild in May 2026.” The provided sources confirm the affected software and t...

CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

PT-2026-38553

Name of the Vulnerable Software and Affected Versions Postorius versions prior to 1.3.14 Description The software fails to escape HTML in the message subject when rendering it within the Held messages pop-up. This issue was exploited in the wild in May 2026. Recommendations Update to a version...

EUVD-2010-1257

Malware in sbrugna...

EUVD-2017-14750

Malware in sbrugna...

EUVD-2022-24408

Malicious code in bioql PyPI...

CVE-2022-25813

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SST...

Code injection

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SST...

OPENSUSE-SU-2018:1329-1 Security update for enigmail

This update for enigmail to version 2.0.4 fixes multiple issues. Security issues fixed: - CVE-2017-17688: CFB gadget attacks allowed to exfiltrate plaintext out of encrypted emails. enigmail now fails on GnuPG integrity check warnings for old Algorithms bsc1093151 - CVE-2017-17689: CBC gadget...

CVE-2017-5673

In the Kunena extension 5.0.2 through 5.0.4 for Joomla!, the forum message subject aka topic subject accepts JavaScript, leading to XSS. Six files are affected: crypsis/layouts/message/item/default.php, crypsis/layouts/message/item/top/default.php, crypsis/layouts/message/item/bottom/default.php,...

CVE-2012-3507

Cross-site scripting XSS vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject...

http-icloud-sendmsg NSE Script

Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application. Script Arguments http-icloud-sendmsg.username the Apple ID username http-icloud-sendmsg.sound boolean specifying if a loud sound should be...

CVE-2008-3773

Cross-site scripting XSS vulnerability in vBulletin 3.7.2 PL1 and 3.6.10 PL3, when "Show New Private Message Notification Pop-Up" is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a private message subject aka newpmtitle...

CVE-2005-0846

Multiple cross-site scripting XSS vulnerabilities in the email auto-reply message in SurgeMail 2.2g3 allow remote attackers to inject arbitrary web script or HTML via the 1 message subject or 2 message header field...