{"id":"PYSEC-2026-660","summary":"Cross Site Request Forgery in mailman","details":"In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.","aliases":["CVE-2021-44227","GHSA-xq58-69h2-765m"],"modified":"2026-07-06T08:00:43.410272699Z","published":"2026-07-02T14:13:14.288696Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44227"},{"type":"WEB","url":"https://bugs.launchpad.net/mailman/+bug/1952384"},{"type":"PACKAGE","url":"https://gitlab.com/mailman/mailman"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2022/06/msg00011.html"},{"type":"PACKAGE","url":"https://pypi.org/project/mailman"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xq58-69h2-765m"}],"affected":[{"package":{"name":"mailman","ecosystem":"PyPI","purl":"pkg:pypi/mailman"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.38"}]}],"versions":["3.0.0b3-"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mailman/PYSEC-2026-660.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}