VDB
KO
HIGH 8.8

PYSEC-2026-660

Cross Site Request Forgery in mailman

Details

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mailman
Introduced in: 0 Fixed in: 2.1.38
Fix pip install --upgrade 'mailman>=2.1.38'

References