CVE-2026-44742

NameCVE-2026-44742
DescriptionPostorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4600-1, DSA-6257-1
Debian Bugs1136003

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postorius (PTS)bullseye1.3.4-2+deb11u1vulnerable
bullseye (security)1.3.4-2+deb11u2fixed
bookworm, bookworm (security)1.3.8-3+deb12u1fixed
trixie (security), trixie1.3.13-1+deb13u1fixed
forky, sid1.3.13-1+deb13u1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postoriussourcebullseye1.3.4-2+deb11u2DLA-4600-1
postoriussourcebookworm1.3.8-3+deb12u1DSA-6257-1
postoriussourcetrixie1.3.13-1+deb13u1DSA-6257-1
postoriussource(unstable)(unfixed)1136003

Notes

https://gitlab.com/mailman/postorius/-/commit/8d00a3c317729f37435bdbd27170f630e341f29e
https://gitlab.com/mailman/postorius/-/merge_requests/972
Search for package or bug name: Reporting problems