A reflected parameter injection flaw was discovered in the mailcow-dockerized web interface. When the login page is accessed, the raw request URI is passed to Twig as a global variable and rendered inside a JavaScript string literal. Because the default HTML escaping is used instead of JavaScript escaping, an attacker can embed malicious script content that will execute in the victim’s browser. The vulnerability allows an attacker to inject arbitrary JavaScript that runs with the privileges of the page, potentially facilitating credential theft, session hijacking, or other cross‑site attacks. The weakness is a classic reflected XSS, mapped to CWE‑79.

The issue affects any installed instance of mailcow-dockerized version 2026‑03b and earlier. The affected component is the base.twig template in the mailcow web interface. The vendor has released patch 2026‑03b which eliminates the erroneous rendering of the request URI.

The CVSS score is 2.1, indicating a low severity if mitigated, but the vulnerability could be abused if an attacker successfully lures an administrator or user to a crafted URL. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation data. The attack vector is reflected; the attacker must supply a URL that contains the malicious payload, and the victim must open the link in a browser that renders the login page. No authentication or privileged state is required for the exploit to be triggered. Consequently, while the risk is low in the absence of social‑engineering campaigns, the flaw still warrants immediate patching to eliminate the XSS surface.