oss-sec mailing list archives

Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier


From: Demi Marie Obenour <demiobenour () gmail com>
Date: Fri, 8 May 2026 00:19:24 -0400

On 5/7/26 03:22, Alyssa Ross wrote:
The current released version of Postorius, and earlier versions, contain
an XSS vulnerability in the admin UI.  A fix was merged upstream in
January 2025, which included documentation of the security issue in the
news file[1], but no release has been made since, and I don't see any
previous discussion in the oss-security archives.  Distributions
packaging the latest release that have not backported this fix are
vulnerable.  I have heard that this issue is being actively exploited.

[1]: https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b

Yikes!  Looks like the PyPI version is also vulnerable.

I wonder if Postorius is going to make a release again, or if users
should start deploying git versions in the future.  I know that the
(unrelated) h2o project (a C HTTP server library and daemon) does
tell users to use its master branch.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


Current thread: