Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability.
Published: 2026-04-21
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows an attacker to execute arbitrary JavaScript in a web admin’s browser, leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

In mailcow‑dockerized versions before 2026‑03b, the Quarantine details modal injects attachment filenames directly into the page’s HTML without escaping. An attacker can craft an email with a malicious attachment name, and when an administrator opens the quarantine record, the browser executes the injected code. This results in a complete compromise of the administrator’s account and any privileges the web interface confers.

Affected Systems

The flaw affects the mailcow‑dockerized suite. Any deployment of the open source groupware/email system that has not upgraded beyond the 2026‑03b release is vulnerable.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity. The EPSS score is not available, but the vulnerability is known to be actionable and is not yet listed in CISA’s KEV catalog, suggesting exploitation is possible yet not widely observed. Likely attack vectors involve the attacker sending a crafted email and the administrator subsequently viewing the quarantine modal in a browser.

Generated by OpenCVE AI on April 22, 2026 at 06:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mailcow‑dockerized to version 2026‑03b or later, which eliminates the unescaped rendering of attachment filenames.
  • If possible, disable or restrict the Quarantine interface for untrusted mail until the upgrade is completed.
  • Configure a strict content‑security‑policy header on the web admin interface to block inline JavaScript, reducing the risk of XSS exploitation.

Generated by OpenCVE AI on April 22, 2026 at 06:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mailcow
Mailcow mailcow Dockerized
Vendors & Products Mailcow
Mailcow mailcow Dockerized

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability.
Title mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames
Weaknesses CWE-79
CWE-80
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Mailcow Mailcow Dockerized
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:39:19.981Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40873

cve-icon Vulnrichment

Updated: 2026-04-21T19:39:09.220Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:00.820

Modified: 2026-04-21T20:17:00.820

Link: CVE-2026-40873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:48Z

Weaknesses