cbcvebase.
CVE-2026-44742
published 2026-05-07

CVE-2026-44742: Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.24%
14.6th percentile
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.

Affected

3 ranges
VendorProductVersion rangeFixed in
postorius_projectpostorius<= 1.3.13
postorius_projectpostorius0 – 1.3.13
ubuntupostorius

Detection & IOCsextracted from sources · hover to see the quote

  • Look for unescaped HTML/JavaScript payloads injected into email message subjects, rendered in the Postorius 'Held messages' pop-up — this is the XSS injection point for CVE-2026-44742
  • Alert on HTTP responses from Postorius held-message views containing unescaped angle brackets or script tags within subject fields, indicating active XSS exploitation
  • Flag Postorius deployments running version 1.3.13 or earlier as vulnerable; exploitation was confirmed in the wild as of May 2026
  • ·This is a stored/reflected XSS via email message subject field — any message delivered to a Postorius-managed list with a crafted subject can trigger the vulnerability when a moderator views the Held messages pop-up
  • ·Exploitation was confirmed in the wild in May 2026; treat any Postorius ≤1.3.13 instance exposed to the internet as actively at risk

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.