Description
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
Published: 2026-05-07
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4600-1 postorius security update
Debian DSA Debian DSA DSA-6257-1 postorius security update
Github GHSA Github GHSA GHSA-r7c9-7pjq-hmm8 Postorius is vulnerable to XSS
Ubuntu USN Ubuntu USN USN-8323-1 Postorius vulnerability
History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Thu, 07 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Unescaped HTML in Message Subject Enables XSS via Held Messages Pop‑up

Thu, 07 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
First Time appeared Postorius Project
Postorius Project postorius
Weaknesses CWE-79
CPEs cpe:2.3:a:postorius_project:postorius:*:*:*:*:*:*:*:*
Vendors & Products Postorius Project
Postorius Project postorius
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Postorius Project Postorius
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-25T23:25:05.656Z

Reserved: 2026-05-07T18:09:19.497Z

Link: CVE-2026-44742

cve-icon Vulnrichment

Updated: 2026-05-25T23:25:05.656Z

cve-icon NVD

Status : Modified

Published: 2026-05-07T19:16:02.500

Modified: 2026-06-17T10:51:17.550

Link: CVE-2026-44742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:45:22Z

Weaknesses