CVE-2025-43921

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
mitreCNA
5.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
gnumailman
2.1.1 ≤
𝑥
≤ 2.1.39
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://code.launchpad.net/~mailman-coders/mailman/2.1
https://github.com/0NYX-MY7H/CVE-2025-43921
https://github.com/cpanel/mailman2-python3
https://www.openwall.com/lists/oss-security/2025/04/21/6