oss-sec mailing list archives
Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier
From: Demi Marie Obenour <demiobenour () gmail com>
Date: Fri, 8 May 2026 00:19:24 -0400
On 5/7/26 03:22, Alyssa Ross wrote:
The current released version of Postorius, and earlier versions, contain an XSS vulnerability in the admin UI. A fix was merged upstream in January 2025, which included documentation of the security issue in the news file[1], but no release has been made since, and I don't see any previous discussion in the oss-security archives. Distributions packaging the latest release that have not backported this fix are vulnerable. I have heard that this issue is being actively exploited. [1]: https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
Yikes! Looks like the PyPI version is also vulnerable. I wonder if Postorius is going to make a release again, or if users should start deploying git versions in the future. I know that the (unrelated) h2o project (a C HTTP server library and daemon) does tell users to use its master branch. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- XSS in Postorius (Mailman 3) 1.3.13 and earlier Alyssa Ross (May 07)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Demi Marie Obenour (May 07)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Sebastian Pipping (May 08)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Demi Marie Obenour (May 07)
