Description
GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at /mailman/private/mailman (aka the private archive authentication endpoint) via the username parameter. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used.
Exploits
No known exploits found for this CVE.
Search Exploit-DBReferences
cve@mitre.org
https://github.com/0NYX-MY7H/CVE-2025-43919cve@mitre.org
https://github.com/cpanel/mailman2-python3