{"id":"PYSEC-2026-657","summary":"Mailman Cross-site scripting (XSS) vulnerability ","details":"Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via the (1) email or (2) language parameters.","aliases":["CVE-2003-0038","GHSA-82rm-28q9-435p"],"modified":"2026-07-06T08:00:39.997498538Z","published":"2026-07-02T14:13:18.100267Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2003-0038"},{"type":"WEB","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/11152"},{"type":"WEB","url":"http://marc.info/?l=bugtraq&m=104342745916111"},{"type":"WEB","url":"http://telia.dl.sourceforge.net/sourceforge/mailman/xss-2.1.0-patch.txt"},{"type":"WEB","url":"http://www.debian.org/security/2004/dsa-436"},{"type":"WEB","url":"http://www.osvdb.org/9205"},{"type":"WEB","url":"http://www.securityfocus.com/bid/6677"},{"type":"WEB","url":"http://www.securitytracker.com/id?1005987"},{"type":"PACKAGE","url":"https://pypi.org/project/mailman"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-82rm-28q9-435p"}],"affected":[{"package":{"name":"mailman","ecosystem":"PyPI","purl":"pkg:pypi/mailman"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.1"}]}],"versions":["3.0.0b3-"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mailman/PYSEC-2026-657.yaml"}}],"schema_version":"1.7.5"}