CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

EUVD-2026-24262

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

CVE-2026-40878

CVE-2026-40878 affects mailcow: dockerized prior to 2026-03b. The web interface passes raw $_SERVER['REQUEST_URI'] to Twig as a global variable and renders it inside a JavaScript string in setLang(), relying on Twig’s HTML escaping rather than JS escaping. Additionally, the query_string() Twig he...

CVE-2026-40875 mailcow: dockerized vulnerable to stored XSS in user login history real_rip

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" login history renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP...

CVE-2026-40875

CVE-2026-40875 affects mailcow: dockerized (open source groupware/email suite). The vulnerability lies in the user dashboard’s login-history field (Seen successful connections) where the client IP is rendered without escaping HTML, relying on the X-Real-IP header for the source IP in logs. This e...

EUVD-2026-24256

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with /api/v1/delete/fwdhost. Any authenticated user can call this API. Checks are only applied for edit/add actions,...

CVE-2026-40874 mailcow: dockerized missing authorization on Forwarding Hosts delete action

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with /api/v1/delete/fwdhost. Any authenticated user can call this API. Checks are only applied for edit/add actions,...

CVE-2026-40874

CVE-2026-40874 affects mailcow: dockerized. Prior to 2026-03b, there was no administrator verification for deleting Forwarding Hosts via /api/v1/delete/fwdhost, allowing any authenticated user to call the API. Deletion could significantly disrupt mail service, while checks existed only for edit/a...

CVE-2026-40873 mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

EUVD-2026-24255

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

CVE-2026-40873

CVE-2026-40873 affects mailcow: dockerized. The Quarantine details modal injects attachment filenames into HTML without escaping, enabling stored XSS that can run when an admin views a quarantine item, potentially leading to account takeover. This vulnerability exists in versions prior to 2026-03...

CVE-2026-40873 mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

CVE-2026-40872 mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value logged as the "user" field without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted...

CVE-2026-40872 mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value logged as the "user" field without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted...

CVE-2026-40872

Affected product/variant: mailcow: dockerized (open source groupware/email suite). Issue: Stored XSS in Autodiscover logs via unescaped EMailAddress. Root cause (per description): Admin dashboard Autodiscover logs render the EMailAddress value (logged as the “user” field) without HTML escaping, e...

CVE-2026-40871 mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantinecategory field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantinecategory without validation or sanitizatio...

CVE-2026-40871 mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantinecategory field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantinecategory without validation or sanitizatio...

CVE-2026-40871

CVE-2026-40871 affects the mailcow: dockerized project. Versions prior to 2026-03b are vulnerable to a second-order SQL injection in the quarantine_category field exposed via the Mailcow API, specifically at the /api/v1/add/mailbox endpoint. The input is stored without validation and later used b...

EUVD-2026-24253

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantinecategory field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantinecategory without validation or sanitizatio...