oss-sec mailing list archives
XSS in Postorius (Mailman 3) 1.3.13 and earlier
From: Alyssa Ross <hi () alyssa is>
Date: Thu, 07 May 2026 09:22:35 +0200
The current released version of Postorius, and earlier versions, contain an XSS vulnerability in the admin UI. A fix was merged upstream in January 2025, which included documentation of the security issue in the news file[1], but no release has been made since, and I don't see any previous discussion in the oss-security archives. Distributions packaging the latest release that have not backported this fix are vulnerable. I have heard that this issue is being actively exploited. [1]: https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
Attachment:
signature.asc
Description:
Current thread:
- XSS in Postorius (Mailman 3) 1.3.13 and earlier Alyssa Ross (May 07)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Demi Marie Obenour (May 07)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Sebastian Pipping (May 08)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Demi Marie Obenour (May 07)