CVE-2026-44742 PUBLISHED

Assigner: mitre
Reserved: 07.05.2026 Published: 07.05.2026 Updated: 08.05.2026

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 7.2

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Postorius project
Product	Postorius
Versions	Default: unknown affected from 0 to 1.3.13 (incl.)

References

https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
https://gitlab.com/mailman/postorius/-/merge_requests/972
https://gitlab.com/mailman/postorius/-/issues/620
https://www.openwall.com/lists/oss-security/2026/05/07/3

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE