#1136003 postorius: CVE-2026-44742

Package:
src:postorius
Source:
src:postorius
Submitter:
Moritz Mühlenhoff
Date:
2026-05-15 04:41:02 UTC
Severity:
normal
Tags:
#1136003#5
Date:
2026-05-08 13:17:10 UTC
From:
To:
Hi,

The following vulnerability was published for postorius.

CVE-2026-44742[0]:
| Postorius through 1.3.13 does not escape HTML in the message subject
| when rendering it in the Held messages pop-up, as exploited in the
| wild in May 2026.

https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
https://gitlab.com/mailman/postorius/-/merge_requests/972

I'm preparing a DSA as well.



If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44742
https://www.cve.org/CVERecord?id=CVE-2026-44742

Please adjust the affected versions in the BTS as needed.

#1136003#16
Date:
2026-05-14 17:28:27 UTC
From:
To:
Dear maintainer,

I've prepared an NMU for postorius (versioned as 1.3.13-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.

Making this as we otherwise regress from trixie after the relesed DSA.

Regards,
Salvatore

#1136003#25
Date:
2026-05-14 17:38:13 UTC
From:
To:
Hi

Actually I'm cancelling this upload since python3-django-postorius is
not installable in unstable (due to its strict dependencies to
python3-django, filled a bug about it).

Regards,
Salvatore

#1136003#32
Date:
2026-05-15 04:29:52 UTC
From:
To:
Hi, I see in https://tracker.debian.org/pkg/postorius
that 1.3.13-1+deb13u1 is in unstable and testing. Is this some kind of
mistake? Security team?