CVE-2026-44742: Postorius is vulnerable to XSS

May 7, 2026 (updated May 12, 2026)

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.

References

github.com/advisories/GHSA-r7c9-7pjq-hmm8
gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
gitlab.com/mailman/postorius/-/issues/620
gitlab.com/mailman/postorius/-/merge_requests/972
nvd.nist.gov/vuln/detail/CVE-2026-44742
www.openwall.com/lists/oss-security/2026/05/07/3

Code Behaviors & Features

Detect and mitigate CVE-2026-44742 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →