Vulnerabilities > GNU > Mailman > 2.1.18

DATE CVE VULNERABILITY TITLE RISK
2025-04-20 CVE-2025-43919 Path Traversal vulnerability in GNU Mailman
GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at /mailman/private/mailman (aka the private archive authentication endpoint) via the username parameter.
network
low complexity
gnu CWE-22
7.5
2025-04-20 CVE-2025-43920 OS Command Injection vulnerability in GNU Mailman
GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.
network
high complexity
gnu CWE-78
8.1
2025-04-20 CVE-2025-43921 Incorrect Authorization vulnerability in GNU Mailman
GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpoint.
network
low complexity
gnu CWE-863
5.3
2023-04-15 CVE-2021-34337 Unspecified vulnerability in GNU Mailman
An issue was discovered in Mailman Core before 3.3.5.
local
high complexity
gnu
6.3
2021-12-02 CVE-2021-44227 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.
network
low complexity
gnu debian CWE-352
8.8
2021-11-12 CVE-2021-43331 Cross-site Scripting vulnerability in multiple products
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.
network
low complexity
gnu debian CWE-79
6.1
2021-11-12 CVE-2021-43332 Insufficiently Protected Credentials vulnerability in multiple products
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password.
network
low complexity
gnu debian CWE-522
6.5
2021-10-21 CVE-2021-42096 Improper Restriction of Excessive Authentication Attempts vulnerability in multiple products
GNU Mailman before 2.1.35 may allow remote Privilege Escalation.
network
low complexity
gnu debian CWE-307
4.3
2021-10-21 CVE-2021-42097 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
GNU Mailman before 2.1.35 may allow remote Privilege Escalation.
network
low complexity
gnu debian CWE-352
8.0
2020-06-24 CVE-2020-15011 Injection vulnerability in multiple products
GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.
network
low complexity
gnu canonical debian CWE-74
4.3