CVE-2025-43921

Description

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected products

gnu / Mailman2.1.39 – 2.1.39

References

MAILING_LISThttps://code.launchpad.net/~mailman-coders/mailman/2.1
MISChttps://github.com/0NYX-MY7H/CVE-2025-43921
MAILING_LISThttps://github.com/cpanel/mailman2-python3
MAILING_LISThttps://www.openwall.com/lists/oss-security/2025/04/21/6