Vulnerabilities > GNU > Mailman > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-04-20 | CVE-2025-43919 | Path Traversal vulnerability in GNU Mailman GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at /mailman/private/mailman (aka the private archive authentication endpoint) via the username parameter. | 7.5 |
| 2025-04-20 | CVE-2025-43920 | OS Command Injection vulnerability in GNU Mailman GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line. | 8.1 |
| 2021-12-02 | CVE-2021-44227 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes. | 8.8 |
| 2021-10-21 | CVE-2021-42097 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products GNU Mailman before 2.1.35 may allow remote Privilege Escalation. | 8.0 |
| 2016-09-02 | CVE-2016-7123 | Cross-Site Request Forgery (CSRF) vulnerability in GNU Mailman Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman before 2.1.15 allows remote attackers to hijack the authentication of administrators. | 8.8 |
| 2016-09-02 | CVE-2016-6893 | Cross-Site Request Forgery (CSRF) vulnerability in GNU Mailman Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. | 8.8 |