CVE-2026-44742

HIGH EXPLOITED

Postorius < 1.3.13 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Title source: rule

Exploitation Summary

CVE-2026-44742 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.

References (4)

Core 4

Core References

https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b

View Patch ZIP pw:eip

https://gitlab.com/mailman/postorius/-/merge_requests/972

https://gitlab.com/mailman/postorius/-/issues/620

https://www.openwall.com/lists/oss-security/2026/05/07/3

Scores

CVSS v3 7.2

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2026-05-07

CWE

CWE-79

Status published

Products (3)

Postorius project/Postorius < 1.3.13

postorius_project/postorius < 1.3.13

pypi/postorius 0 - 1.3.13PyPI

Published May 07, 2026

Tracked Since May 08, 2026