Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on postorius (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.3.13.
DescriptionCVE.org
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
AnalysisAI
Cross-site scripting (XSS) in Postorius mail list management interface allows unauthenticated remote attackers to inject malicious scripts via crafted email subjects in held messages. Active exploitation confirmed in May 2026 per vendor disclosure. Affects all versions through 1.3.13. Public exploit code available via GitLab merge request #972. EPSS data not yet available for this recent CVE, but confirmed in-the-wild activity elevates priority significantly despite moderate CVSS 7.2 score.
Technical ContextAI
Postorius is the web-based management interface for GNU Mailman 3 mailing list software, built on Django. This vulnerability exploits improper HTML escaping (CWE-79) in the message subject rendering logic within the 'Held messages' administrative pop-up interface. When moderators review held/pending messages, the application renders email subjects without sanitizing HTML entities, allowing attacker-supplied HTML/JavaScript to execute in the moderator's browser context. The affected component is the template rendering layer that processes user-submitted email subjects for display in the web UI. Per CPE data (cpe:2.3:a:postorius_project:postorius), this affects the core Postorius project through version 1.3.13, indicating a vulnerability present across multiple release branches before remediation.
RemediationAI
Upgrade Postorius to version 1.3.14 or later, which incorporates the fix from GitLab commit c4706abd05ba6bcf472fc674b160d3a9d6a4868b (https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b). Organizations unable to immediately upgrade should implement emergency compensating controls: restrict access to the Postorius web interface to trusted administrative networks only via firewall rules or reverse proxy ACLs, reducing attacker surface from AV:N to internal-only access (note: this does not prevent attacks from compromised internal hosts or malicious insiders). Review web application firewall (WAF) rules to detect and block common XSS payloads in HTTP POST/GET parameters, though this may cause false positives with legitimate email content. As a Django application, consider enabling Django's built-in Content Security Policy middleware to restrict script execution, though this requires testing to avoid breaking legitimate Postorius functionality. Review held message queues for suspicious subjects containing HTML/JavaScript tags and purge before moderator review. Do NOT rely solely on browser XSS filters as these are deprecated in modern browsers. Consult the oss-security mailing list thread (https://www.openwall.com/lists/oss-security/2026/05/07/3) for community-identified indicators of compromise and attack patterns from the May 2026 exploitation campaign.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28415
GHSA-r7c9-7pjq-hmm8