Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

212 matches found

Nuclei
Nucleiadded yesterday6 views

Mailcow < 2026-03b - Href Link Injection

mailcow 2026-03b reflects raw REQUESTURI into JavaScript and href links on the login page, allowing attackers to inject parameters that break JS logic and enable phishing. id: CVE-2026-40878 info: name: Mailcow 2026-03b - Href Link Injection author: ritikchaddha severity: low description: | mailc...

2.1CVSS5.8AI score0.02959EPSS
Exploits0References3
NVD
NVDadded 2026/05/20 4:16 a.m.5 views

CVE-2026-7460

mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML...

7.4CVSS0.00052EPSS
Exploits0References2
CVE
CVEadded 2026/05/20 2:19 a.m.9 views

CVE-2026-7460

CVE-2026-7460 affects mailcow-dockerized (2026-03b) and describes a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and render...

7.4CVSS5.6AI score0.00052EPSS
Exploits0References2
Cvelist
Cvelistadded 2026/05/20 2:19 a.m.39 views

CVE-2026-7460 mailcow-dockerized 2026-03b - Stored XSS in Queue Manager via unescaped

mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML...

7.4CVSS0.00052EPSS
Exploits0References2
EUVD
EUVDadded 2026/05/20 2:19 a.m.5 views

EUVD-2026-31048

mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML...

7.4CVSS5.6AI score0.00052EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/05/20 2:19 a.m.2 views

CVE-2026-7460

mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML...

7.4CVSS5.6AI score0.00052EPSS
Exploits0References3Affected Software1
CNNVD
CNNVDadded 2026/05/20 12:0 a.m.5 views

mailcow dockerized 跨站脚本漏洞

Mailcow Dockerized is an open-source application developed by Mailcow. The version 2026-03b of Mailcow Dockerized contains a cross-site scripting vulnerability. This vulnerability stems from a storage-based cross-site scripting vulnerability in the administrator’s queue manager, which may cause t...

7.4CVSS5.6AI score0.00052EPSS
Exploits0References1
Positive Technologies
Positive Technologiesadded 2026/05/20 12:0 a.m.5 views

PT-2026-42099

Name of the Vulnerable Software and Affected Versions mailcow-dockerized version 2026-03b Description A stored cross-site scripting issue exists in the administrator Queue Manager. The Queue Manager retrieves mail queue entries from the endpoint '/api/v1/get/mailq/all' and copies server-controlle...

7.4CVSS5.8AI score0.00052EPSS
Exploits0References6
RedhatCVE
RedhatCVEadded 2026/04/22 7:22 p.m.1 views

CVE-2026-40872

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value logged as the "user" field without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted...

9.3CVSS5.8AI score0.00067EPSS
Exploits0References1
NVD
NVDadded 2026/04/21 8:17 p.m.1 views

CVE-2026-40875

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" login history renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP...

7CVSS0.0006EPSS
Exploits0References1
NVD
NVDadded 2026/04/21 8:17 p.m.2 views

CVE-2026-40878

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

2.1CVSS0.02959EPSS
Exploits0References1
NVD
NVDadded 2026/04/21 8:17 p.m.2 views

CVE-2026-40874

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with /api/v1/delete/fwdhost. Any authenticated user can call this API. Checks are only applied for edit/add actions,...

6CVSS0.0005EPSS
Exploits0References1
NVD
NVDadded 2026/04/21 8:17 p.m.2 views

CVE-2026-40873

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

8.9CVSS0.00112EPSS
Exploits0References1
NVD
NVDadded 2026/04/21 8:17 p.m.2 views

CVE-2026-40872

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value logged as the "user" field without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted...

9.3CVSS0.00067EPSS
Exploits0References1
NVD
NVDadded 2026/04/21 8:17 p.m.1 views

CVE-2026-40871

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantinecategory field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantinecategory without validation or sanitizatio...

7.2CVSS0.00073EPSS
Exploits0References1
EUVD
EUVDadded 2026/04/21 7:21 p.m.3 views

EUVD-2026-24262

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

2.1CVSS5.8AI score0.02959EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/04/21 7:21 p.m.1 views

CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

2.1CVSS5.8AI score0.02959EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/04/21 7:21 p.m.27 views

CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

2.1CVSS0.02959EPSS
Exploits0References1
CVE
CVEadded 2026/04/21 7:21 p.m.5 views

CVE-2026-40878

CVE-2026-40878 affects mailcow: dockerized prior to 2026-03b. The web interface passes raw $_SERVER['REQUEST_URI'] to Twig as a global variable and renders it inside a JavaScript string in setLang(), relying on Twig’s HTML escaping rather than JS escaping. Additionally, the query_string() Twig he...

2.1CVSS5.8AI score0.02959EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/04/21 7:19 p.m.0 views

CVE-2026-40875 mailcow: dockerized vulnerable to stored XSS in user login history real_rip

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" login history renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP...

7CVSS5.8AI score0.0006EPSS
Exploits0References1
Rows per page
Query Builder