Source: postorius X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerability was published for postorius. CVE-2026-44742[0]: | Postorius through 1.3.13 does not escape HTML in the message subject | when rendering it in the Held messages pop-up, as exploited in the | wild in May 2026. https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b https://gitlab.com/mailman/postorius/-/merge_requests/972 I'm preparing a DSA as well. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44742 https://www.cve.org/CVERecord?id=CVE-2026-44742 Please adjust the affected versions in the BTS as needed.
