CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/05/20 2:19 a.m.•9 views

CVE-2026-7460

CVE-2026-7460 affects mailcow-dockerized (2026-03b) and describes a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and render...

Cvelist•added 2026/05/20 2:19 a.m.•39 views

CVE-2026-7460 mailcow-dockerized 2026-03b - Stored XSS in Queue Manager via unescaped

7.4CVSS0.00052EPSS

EUVD•added 2026/05/20 2:19 a.m.•5 views

EUVD-2026-31048

ATTACKERKB•added 2026/05/20 2:19 a.m.•2 views

CVE-2026-7460

Exploits0References3Affected Software1

CNNVD•added 2026/05/20 12:0 a.m.•5 views

mailcow dockerized 跨站脚本漏洞

Mailcow Dockerized is an open-source application developed by Mailcow. The version 2026-03b of Mailcow Dockerized contains a cross-site scripting vulnerability. This vulnerability stems from a storage-based cross-site scripting vulnerability in the administrator’s queue manager, which may cause t...

Positive Technologies•added 2026/05/20 12:0 a.m.•5 views

PT-2026-42099

Name of the Vulnerable Software and Affected Versions mailcow-dockerized version 2026-03b Description A stored cross-site scripting issue exists in the administrator Queue Manager. The Queue Manager retrieves mail queue entries from the endpoint '/api/v1/get/mailq/all' and copies server-controlle...

7.4CVSS5.8AI score0.00052EPSS

Exploits0References6

GithubExploit•added 2026/05/18 5:14 p.m.•42 views

db-security-ctf

Database Security – CTF Vulnerability Lab SEC304 / CN5134...

5.8AI score

Exploits0

RedhatCVE•added 2026/04/22 7:22 p.m.•1 views

CVE-2026-40872

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value logged as the "user" field without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted...

9.3CVSS5.8AI score0.00067EPSS

NVD•added 2026/04/21 8:17 p.m.•1 views

CVE-2026-40875

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" login history renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP...

7CVSS0.0006EPSS

CVE-2026-40878

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

2.1CVSS0.02959EPSS

CVE-2026-40874

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with /api/v1/delete/fwdhost. Any authenticated user can call this API. Checks are only applied for edit/add actions,...

6CVSS0.0005EPSS

CVE-2026-40873

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

8.9CVSS0.00112EPSS

CVE-2026-40872

9.3CVSS0.00067EPSS

NVD•added 2026/04/21 8:17 p.m.•1 views

CVE-2026-40871

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantinecategory field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantinecategory without validation or sanitizatio...

7.2CVSS0.00073EPSS