Description
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
Published: 2026-05-07
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Postorius up to version 1.3.13 fails to escape HTML characters in message subjects when rendering them in the Held messages pop‑up. This stored XSS flaw allows an attacker to inject malicious JavaScript that runs in the browser context of any user who opens the pop‑up, enabling session hijacking, credential theft, or defacement of the web interface.

Affected Systems

All installations of the Postorius project:Postorius web interface from the launch of the project through 1.3.13 are vulnerable. The fix is included in the GitLab commit referenced in the advisory; upgrading to any release after this commit will remediate the flaw.

Risk and Exploitability

The CVSS score of 7.2 indicates significant impact. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, but it was exploited in the wild in May 2026. The likely attack vector requires a victim to click on a held message, triggering the pop‑up rendering of the unescaped subject. Once the pop‑up is loaded, the injected script executes with the privileges of the user’s browser session.

Generated by OpenCVE AI on May 7, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit c4706abd05ba6bcf472fc674b160d3a9d6a4868b or upgrade to a Postorius release that includes the fix.
  • If an upgrade is not possible immediately, restrict or disable the Held messages pop‑up feature for all users except administrators until a patch is available.
  • Implement a strict Content Security Policy that blocks inline scripts for the domain hosting Postorius to mitigate any residual XSS risk.

Generated by OpenCVE AI on May 7, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Unescaped HTML in Message Subject Enables XSS via Held Messages Pop‑up

Thu, 07 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
First Time appeared Postorius Project
Postorius Project postorius
Weaknesses CWE-79
CPEs cpe:2.3:a:postorius_project:postorius:*:*:*:*:*:*:*:*
Vendors & Products Postorius Project
Postorius Project postorius
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Postorius Project Postorius
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T06:25:34.759Z

Reserved: 2026-05-07T18:09:19.497Z

Link: CVE-2026-44742

cve-icon Vulnrichment

Updated: 2026-05-07T19:00:16.271Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T19:16:02.500

Modified: 2026-05-07T19:53:21.760

Link: CVE-2026-44742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:45:22Z

Weaknesses