CVE-2026-44742

High

Published: 07 May 2026

Published

07 May 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0001 1.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-10 Information Input Validation

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

Security SummaryAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-79

References

https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
cve@mitre.org
https://gitlab.com/mailman/postorius/-/issues/620
cve@mitre.org
https://gitlab.com/mailman/postorius/-/merge_requests/972
cve@mitre.org
https://www.openwall.com/lists/oss-security/2026/05/07/3
cve@mitre.org