Every CVE whose affected-product data names Gnu Mailman, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (47)
CVE-2016-6893 — CVSS 8.8 (high): Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to…
CVE-2021-44227 — CVSS 8.8 (high): In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new…
CVE-2016-7123 — CVSS 8.8 (high): Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman before 2.1.15 allows remote attackers to hijack…
CVE-2021-42097 — CVSS 8.0 (high): GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker…
CVE-2005-4153 — CVSS 7.8 (high): Mailman 2.1.4 through 2.1.6 allows remote attackers to cause a denial of service via a message that causes the server to "fail with an…
CVE-2015-2775 — CVSS 7.6 (high): Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary…
CVE-2002-0388 — CVSS 7.5 (high): Cross-site scripting vulnerabilities in Mailman before 2.0.11 allow remote attackers to execute script via (1) the admin login page, or (2)…
CVE-2006-2191 — CVSS 7.5 (high): Format string vulnerability in Mailman before 2.1.9 allows attackers to execute arbitrary code via unspecified vectors. NOTE: the vendor…
CVE-2002-0855 — CVSS 7.5 (high): Cross-site scripting vulnerability in Mailman before 2.0.12 allows remote attackers to execute script as other users via a subscriber's…
CVE-2001-1132 — CVSS 7.5 (high): Mailman 2.0.x before 2.0.6 allows remote attackers to gain access to list administrative pages when there is an empty site or list…
CVE-2004-1143 — CVSS 7.5 (high): The password generation in mailman before 2.1.5 generates only 5 million unique passwords, which makes it easier for remote attackers to…
CVE-2000-0861 — CVSS 7.2 (high): Mailman 1.1 allows list administrators to execute arbitrary commands via shell metacharacters in the %(listname) macro expansion.
CVE-2003-0965 — CVSS 6.8 (medium): Cross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies…
CVE-2006-3636 — CVSS 6.8 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.9rc1 allow remote attackers to inject arbitrary web script or…
CVE-2021-43332 — CVSS 6.5 (medium): In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password…
CVE-2018-13796 — CVSS 6.5 (medium): An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted…
CVE-2021-34337 — CVSS 6.3 (medium): An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the…
CVE-2020-12137 — CVSS 6.1 (medium): GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS…
CVE-2018-5950 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or…
CVE-2021-43331 — CVSS 6.1 (medium): In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.
CVE-2025-43919 — CVSS 5.8 (medium): GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at…
CVE-2025-43920 — CVSS 5.4 (medium): GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to…
CVE-2018-0618 — CVSS 5.4 (medium): Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or…
CVE-2025-43921 — CVSS 5.3 (medium): GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpoint…
CVE-2001-0884 — CVSS 5.1 (medium): Cross-site scripting vulnerability in Mailman email archiver before 2.08 allows attackers to obtain sensitive information or authentication…
CVE-2005-3573 — CVSS 5.0 (medium): Scrubber.py in Mailman 2.1.5-8 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows remote…
CVE-2003-0991 — CVSS 5.0 (medium): Unknown vulnerability in the mail command handler in Mailman before 2.0.14 allows remote attackers to cause a denial of service (crash) via…
CVE-2004-0182 — CVSS 5.0 (medium): Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject field.
CVE-2004-0412 — CVSS 5.0 (medium): Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server.
CVE-2005-0080 — CVSS 5.0 (medium): The 55_options_traceback.dpatch patch for mailman 2.1.5 in Ubuntu 4.10 displays a different error message depending on whether the e-mail…
CVE-2005-0202 — CVSS 5.0 (medium): Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read…
CVE-2006-0052 — CVSS 5.0 (medium): The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and earlier, when using Python's library email module 2.5, allows remote attackers…
CVE-2006-2941 — CVSS 5.0 (medium): Mailman before 2.1.9rc1 allows remote attackers to cause a denial of service via unspecified vectors involving "standards-breaking RFC 2231…
CVE-2000-0701 — CVSS 4.6 (medium): The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly cleanse untrusted format strings, which allows local users to gain…
CVE-2020-15011 — CVSS 4.3 (medium): GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.
CVE-2021-42096 — CVSS 4.3 (medium): GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be…
CVE-2011-5024 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in mmsearch/design in the Mailman/htdig integration patch for Mailman allows remote attackers to…
CVE-2011-0707 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject…
CVE-2004-1177 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the driver script in mailman before 2.1.5 allows remote attackers to inject arbitrary web…
CVE-2003-0992 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of…
CVE-2003-0038 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via…
CVE-2010-3089 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary…
CVE-2006-1712 — CVSS 2.6 (low): Cross-site scripting (XSS) vulnerability in the private archive script (private.py) in GNU Mailman 2.1.7 allows remote attackers to inject…
CVE-2006-4624 — CVSS 2.6 (low): CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly…
CVE-2002-0389 — CVSS 2.1 (low): Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local users to…