Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Postorius vulnerability (USN-8323-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8323-1 advisory. It was discovered that Postorius did not properly escape HTML in message subjects when rendering the Held...

USN-8323-1 postorius vulnerability

It was discovered that Postorius did not properly escape HTML in message subjects when rendering the Held messages pop-up. An attacker could possibly use this issue to inject arbitrary HTML, resulting in exposure of sensitive information...

USN-8323-1: Postorius vulnerability

It was discovered that Postorius did not properly escape HTML in message subjects when rendering the Held messages pop-up. An attacker could possibly use this issue to inject arbitrary HTML, resulting in exposure of sensitive information...

Debian dla-4600 : python3-django-postorius - security update

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-4600 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4600-1 [email protected] https://www.debian.org/lts/security/...

[SECURITY] [DLA 4600-1] postorius security update

Debian LTS Advisory DLA-4600-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert May 25, 2026 https://wiki.debian.org/LTS Package : postorius Version : 1.3.4-2+deb11u2 CVE ID : CVE-2026-44742 Debian Bug : 1136003 A vulnerability has been discovered in postorius, a we...

CVE-2026-44742

A flaw was found in Postorius. This vulnerability allows an attacker to embed malicious code within the subject of an email message. When an administrator or user views the 'Held messages pop-up', this malicious code is executed in their web browser. This can lead to Cross-Site Scripting XSS,...

FreeBSD : postorius -- XSS (5b3b7f60-4de9-11f1-873e-0f64d023d0c7)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 5b3b7f60-4de9-11f1-873e-0f64d023d0c7 advisory. NIST reports: Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in...

SUSE CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

[SECURITY] [DSA 6257-1] postorius security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6257-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 08, 2026 https://www.debian.org/security/faq -...

Debian dsa-6257 : python3-django-postorius - security update

The remote Debian 12 / 13 host has a package installed that is affected by a vulnerability as referenced in the dsa-6257 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6257-1 [email protected] https://www.debian.org/security/...

EUVD-2026-28415

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

mailman-web (>=0.0.5 <=0.0.9) potentially affected by CVE-2026-44742 via postorius (>=1.3.10 <=1.3.13)

postorius PYPI version =1.3.10, =0.0.5, =0.0.9 Source cves: CVE-2026-44742 Source advisory: OSV:GHSA-R7C9-7PJQ-HMM8...

Postorius is vulnerable to XSS

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

GHSA-R7C9-7PJQ-HMM8 Postorius is vulnerable to XSS

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

mailman-web (>=0.0.5 <=0.0.9) potentially affected by CVE-2026-44742 via postorius (>=1.3.10 <=1.3.13)

postorius PYPI version =1.3.10, =0.0.5, =0.0.9 Source cves: CVE-2026-44742 Source advisory: SNYK:PYTHON-POSTORIUS-16635974...

Cross-site Scripting (XSS)

Overview postorius is an A web user interface for GNU Mailman Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process of the message subject in the Held messages pop-up. An attacker can execute arbitrary scripts in the context of the user's browser b...

CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

UBUNTU-CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

CVE-2026-44742

CVE-2026-44742 affects Postorius up to version 1.3.13. The issue is that the message subject is not HTML-escaped when rendered in the Held messages pop-up, enabling HTML-injection-like rendering as noted “exploited in the wild in May 2026.” The provided sources confirm the affected software and t...

CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...