The current released version of Postorius, and earlier versions, contain an XSS vulnerability in the admin UI. A fix was merged upstream in January 2025, which included documentation of the security issue in the news file[1], but no release has been made since, and I don't see any previous discussion in the oss-security archives. Distributions packaging the latest release that have not backported this fix are vulnerable. I have heard that this issue is being actively exploited.
[1]: https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
signature.asc
Description: PGP signature
