Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability.
Published: 2026-04-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Autodiscover logs
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated Autodiscover request can inject an EMailAddress value containing arbitrary HTML or JavaScript. The mailcow admin dashboard renders this value in the Autodiscover logs without escaping, storing the payload in Redis and executing it whenever an administrator views the logs. This stored cross‑site scripting can enable an attacker to run malicious scripts in the context of the logged‑in admin, potentially stealing session cookies or performing privileged actions.

Affected Systems

The issue affects installations of mailcow:mailcow-dockerized that are running any version prior to 2026-03b. Users who have not upgraded to 2026-03b or later are vulnerable.

Risk and Exploitability

With a CVSS score of 9.3, the vulnerability is considered critical. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the attack vector is network based through the Autodiscover endpoint. An attacker only needs to send a crafted Autodiscover request; no authentication is required. Once a malicious EMailAddress is logged, any administrator who opens the Autodiscover logs will execute the stored script in their browser, giving the attacker the capabilities of that admin account.

Generated by OpenCVE AI on April 22, 2026 at 05:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mailcow:mailcow-dockerized to version 2026-03b or later
  • If an upgrade cannot be performed immediately, restrict access to the Autodiscover endpoint to trusted IP addresses or disable unauthenticated requests
  • Clear existing Autodiscover logs and monitor for any additional logged entries to prevent future exploitation

Generated by OpenCVE AI on April 22, 2026 at 05:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Mailcow
Mailcow mailcow Dockerized
Vendors & Products Mailcow
Mailcow mailcow Dockerized

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability.
Title mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field
Weaknesses CWE-79
CWE-80
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N'}

Subscriptions

Mailcow Mailcow Dockerized
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:37:20.223Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40872

cve-icon Vulnrichment

Updated: 2026-04-22T13:37:12.392Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T20:17:00.673

Modified: 2026-04-22T21:02:31.267

Link: CVE-2026-40872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses