An XSS vulnerability in the Mailman 2.1 web UI has been reported and assigned CVE-2018-5950 which is not yet public.
I plan to release Mailman 2.1.26 along with a patch for older releases to fix this issue on Feb 4, 2018. At that time, full details of the vulnerability will be public.
This is advance notice of the upcoming release and patch for those that need a week or two to prepare. The patch will be small and only affect one module.
I am pleased to announce the release of Mailman 2.1.26.
Python 2.4 is the minimum supported, but Python 2.7 is strongly recommended.
This is a security and bug fix release with a couple of new features. See the attached README.txt for details.
For those who are concerned about the security vulnerability and can't upgrade immediately, there is a patch at https://bugs.launchpad.net/mailman/+bug/1747209/+attachment/5048344/+files/options.patch to fix the security issue. More information on the issue itself is in the bug report at https://bugs.launchpad.net/mailman/+bug/1747209.
Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites.
For more information, please see our web site at one of:
Mailman 2.1.26 can be downloaded from