The vulnerability allows an attacker who can control the contents of the Postfix queue to embed malicious HTML into the administrator’s Queue Manager view. When the page renders the copied fields as unescaped HTML, an attacker can execute arbitrary JavaScript in the context of the admin’s browser session. The potential for the attacker to compromise that session is inferred, but the description does not specify specific outcomes such as session hijacking or credential theft. The weakness is a classic Stored XSS, identified as CWE‑79, and poses confidentiality, integrity, and availability risks constrained to users who can log into the administrative interface.

The flaw is present in the mailcow‑dockerized 2026‑03b release, distributed by the mailcow vendor. Versions before 2026‑03b are not impacted, and any newer releases that include a fix would not be affected. All systems running the affected image and hosting the Queue Manager interface are vulnerable until the patch is applied or the feature is disabled.

With a CVSS score of 7.4, the vulnerability carries a high risk level. While the EPSS score is not available, the flaw is known to exist. It is not listed in the CISA KEV catalog. The likely attack path requires an attacker to have administrative access to the mailcow interface and then exploit the unescaped rendering of queue fields to inject script. If successful, the attacker can execute arbitrary JavaScript in the admin’s browser session, which may compromise that session or its data.