CVE-2026-44742

HIGH NVD

CVSS Score 7.2

Severity HIGH

Published May 07, 2026

Vendor unknown

Description

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.

References

https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
https://gitlab.com/mailman/postorius/-/issues/620
https://gitlab.com/mailman/postorius/-/merge_requests/972
https://www.openwall.com/lists/oss-security/2026/05/07/3