CVE-2026-40874

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with /api/v1/delete/fwdhost. Any authenticated user can call this API. Checks are only applied for edit/add actions,...

EUVD-2026-24262

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

CVE-2026-40874

CVE-2026-40874 affects mailcow: dockerized. Prior to 2026-03b, there was no administrator verification for deleting Forwarding Hosts via /api/v1/delete/fwdhost, allowing any authenticated user to call the API. Deletion could significantly disrupt mail service, while checks existed only for edit/a...

CVE-2026-40872 mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value logged as the "user" field without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted...