The Postorius project through version 1.3.13 contains a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability. Specifically, the application fails to escape HTML characters in the message subject field when displaying it in the Held messages pop-up interface. This allows an attacker to inject and execute arbitrary scripts in the context of the victim's browser, leading to potential information disclosure or session hijacking. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and scope change with low confidentiality and integrity impact but no availability impact. The vulnerability was publicly disclosed and exploited in the wild in May 2026. No patch or official fix has been documented at this time.

Successful exploitation of this vulnerability allows an attacker to execute arbitrary scripts in the context of a user's browser when viewing the Held messages pop-up. This can lead to information disclosure or manipulation of the user interface, potentially compromising user sessions or data confidentiality. The attack requires no privileges or user interaction and can be triggered remotely over the network. The scope of impact extends beyond the vulnerable component, affecting the overall security context of the user session.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users and administrators should exercise caution when interacting with message subjects in the Held messages pop-up. Consider applying temporary mitigations such as input sanitization or disabling the affected feature if feasible. Monitor vendor channels for updates regarding an official patch or workaround.