CVE-2026-44742
published 2026-05-07CVE-2026-44742: Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.24%
14.6th percentile
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| postorius_project | postorius | <= 1.3.13 | — |
| postorius_project | postorius | 0 – 1.3.13 | — |
| ubuntu | postorius | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unescaped HTML/JavaScript payloads injected into email message subjects, rendered in the Postorius 'Held messages' pop-up — this is the XSS injection point for CVE-2026-44742 ↗
- →Alert on HTTP responses from Postorius held-message views containing unescaped angle brackets or script tags within subject fields, indicating active XSS exploitation ↗
- →Flag Postorius deployments running version 1.3.13 or earlier as vulnerable; exploitation was confirmed in the wild as of May 2026 ↗
- ·This is a stored/reflected XSS via email message subject field — any message delivered to a Postorius-managed list with a crafted subject can trigger the vulnerability when a moderator views the Held messages pop-up ↗
- ·Exploitation was confirmed in the wild in May 2026; treat any Postorius ≤1.3.13 instance exposed to the internet as actively at risk ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Postorius up to 1.3.13 cross site scripting (ID 620)
vuldb·2026-05-07·CVSS 7.2
CVE-2026-44742 [HIGH] Postorius up to 1.3.13 cross site scripting (ID 620)
A vulnerability labeled as problematic has been found in Postorius up to 1.3.13. Impacted is an unknown function. The manipulation results in cross site scripting.
This vulnerability was named CVE-2026-44742. The attack may be performed from remote. There is no available exploit.
A patch should be applied to remediate this issue.
GHSA
Postorius is vulnerable to XSS
ghsa·2026-05-07
CVE-2026-44742 [HIGH] CWE-79 Postorius is vulnerable to XSS
Postorius is vulnerable to XSS
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
GHSA
GHSA-r7c9-7pjq-hmm8: Postorius through 1
ghsa_unreviewed·2026-05-07
CVE-2026-44742 [HIGH] CWE-79 GHSA-r7c9-7pjq-hmm8: Postorius through 1
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
VulnCheck
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2026·CVSS 7.2
CVE-2026-44742 [HIGH] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2026-44742
Ubuntu
Postorius vulnerability
vendor_ubuntu·2026-05-27
CVE-2026-44742 Postorius vulnerability
Title: Postorius vulnerability
Summary: Postorius could be made to expose sensitive information over the network.
It was discovered that Postorius did not properly escape HTML in message
subjects when rendering the Held messages pop-up. An attacker could
possibly use this issue to inject arbitrary HTML, resulting in exposure
of sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44742 python-postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject [fedora-all]
bugzilla·2026-05-12·CVSS 7.2
CVE-2026-44742 [HIGH] CVE-2026-44742 python-postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject [fedora-all]
CVE-2026-44742 python-postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44742 python-postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject [epel-all]
bugzilla·2026-05-12·CVSS 7.2
CVE-2026-44742 [HIGH] CVE-2026-44742 python-postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject [epel-all]
CVE-2026-44742 python-postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44742 Postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject
bugzilla·2026-05-07·CVSS 7.2
CVE-2026-44742 [HIGH] CVE-2026-44742 Postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject
CVE-2026-44742 Postorius: Postorius: Cross-Site Scripting via unescaped HTML in message subject
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868bhttps://gitlab.com/mailman/postorius/-/issues/620https://gitlab.com/mailman/postorius/-/merge_requests/972https://www.openwall.com/lists/oss-security/2026/05/07/3https://lists.debian.org/debian-lts-announce/2026/05/msg00045.html
2026-05-07
Published
Exploited in the wild