CVE-2026-44742: Postorius HTML Injection Exploited In The Wild

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-79
CVE-2026-44742: Postorius HTML Injection Exploited In The Wild

The National Vulnerability Database has issued an advisory for CVE-2026-44742, a high-severity (CVSS 7.2) HTML injection vulnerability affecting Postorius through version 1.3.13. This flaw, categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation), allows for the execution of arbitrary HTML within the ‘Held messages’ pop-up due to improper escaping of the message subject.

Critically, this vulnerability is not theoretical; the National Vulnerability Database confirms it was actively exploited in the wild in May 2026. An unauthenticated attacker can craft a malicious message subject that, when viewed by an administrator or moderator in the ‘Held messages’ interface, renders arbitrary HTML. While the CVSS vector indicates no integrity or availability impact (I:L, A:N), the potential for phishing, defacement, or information disclosure (C:L) within the administrative interface is significant. This is a classic cross-site scripting scenario, but its presence in an administrative panel elevates the risk.

Defenders using Postorius must prioritize patching to version 1.3.14 or later, which includes the fix implemented in commit c4706abd05ba6bcf472fc674b160d3a9d6a4868b. Given the active exploitation, simply updating is not enough. Administrators should also review logs for any suspicious activity related to message subjects or access to the ‘Held messages’ interface around May 2026, as this indicates potential prior compromise.

What This Means For You

  • If your organization uses Postorius for mailing list management, you need to immediately verify your version. If it's through 1.3.13, you are vulnerable to CVE-2026-44742, which has been exploited in the wild. Patch to 1.3.14 or newer without delay. After patching, audit administrative user activity and message logs for any anomalous behavior, especially around the time of active exploitation in May 2026.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1566.002 Phishing: Spearphishing Link Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-44742: Postorius HTML Injection in Message Subject

Sigma YAML — free preview 
title: CVE-2026-44742: Postorius HTML Injection in Message Subject
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-44742 by observing web requests targeting the Postorius held messages interface. The vulnerability lies in the improper escaping of HTML in the message subject, allowing for injection when messages are rendered in the 'Held messages' pop-up. This rule looks for POST requests to the relevant path with a subject parameter, indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44742/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/mailman/postorius/held/'
      cs-uri-query|contains:
          - 'subject=' # This is a placeholder, actual exploit might use different parameter or encoding
  selection_base:
      sc-status:
          - 200
      cs-method:
          - 'POST'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44742 XSS Postorius through 1.3.13
CVE-2026-44742 XSS HTML in the message subject
CVE-2026-44742 XSS rendering in the Held messages pop-up

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8087 — OSGeo Gdal Buffer Overflow

CVE-2026-8087 — A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a...

vulnerabilityCVEmedium-severitybuffer-overflowcwe-119cwe-122
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-43510: CISA's manage.get.gov Domain Manager Vulnerability

CVE-2026-43510 — manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already...

vulnerabilityCVEhigh-severitycwe-266
/SCW Vulnerability Desk /HIGH /7.6 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-42241 — Applications Using ParquetSharp To Read Untrusted Parquet Fi Vulnerability

CVE-2026-42241 — ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc...

vulnerabilityCVEmedium-severitycwe-789
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 2 Sigma