CVE-2026-44742

NameCVE-2026-44742
DescriptionPostorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postorius (PTS)bullseye (security), bullseye1.3.4-2+deb11u1vulnerable
bookworm1.3.8-3vulnerable
forky, sid, trixie1.3.13-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postoriussource(unstable)(unfixed)

Notes

https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
https://gitlab.com/mailman/postorius/-/merge_requests/972
Search for package or bug name: Reporting problems