Primary

Context

Postorius Cross-Site Scripting Vulnerability in Held Messages Pop-Up

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Postorius versions through 1.3.13. The issue arises because the application does not properly escape HTML in the message subject when displaying it in the Held messages pop-up. This vulnerability has been actively exploited.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the Held messages pop-up in the Postorius admin UI. The pop-up will display the message subject without proper HTML escaping, allowing injected HTML to be rendered. This can be tested by sending a message with a subject that includes HTML tags, such as bold tags, and observing how the subject is displayed in the pop-up.

Remediation

Users can update to Postorius version 1.3.14 or later, where this vulnerability has been fixed.

Added: May 7, 2026, 7:30 PM

Updated: May 7, 2026, 7:30 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.4

exploitability

7.4

remediation

0.0

relevance

7.7

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.4

exploitability

7.4

remediation

0.0

relevance

7.7

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Postorius Cross-Site Scripting Vulnerability in Held Messages Pop-Up

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating