interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page.
{ "availability": "No subscription required", "ubuntu_priority": "untriaged", "binaries": [ { "binary_version": "1.9.4-2build4", "binary_name": "rspamd" }, { "binary_version": "1.9.4-2build4", "binary_name": "rspamd-dbgsym" } ] }