PyPI package
postorius
pkg:pypi/postorius
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44742 | Hig | 7.2 | <= 1.3.13 | — | May 7, 2026 | Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026. | |
| CVE-2021-40347 | — | < 1.3.5 | 1.3.5 | Sep 10, 2021 | An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place. |
- affected <= 1.3.13
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
- CVE-2021-40347Sep 10, 2021affected < 1.3.5fixed 1.3.5
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.