EUVD-2026-24253CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability.
AnalysisAI
Second-order SQL injection in mailcow: dockerized versions prior to 2026-03b allows authenticated API users with high privileges to execute arbitrary SQL commands through the quarantine notification system. Attackers inject malicious SQL via the quarantine_category field in /api/v1/add/mailbox endpoint, which executes when quarantine_notify.py runs its scheduled job, enabling data exfiltration of admin credentials and sensitive information through UNION-based queries rendered in notification emails. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all mailcow instances and current versions via inventory/deployment tools. Within 7 days: Upgrade mailcow to version 2026-03b or later; if upgrade blocked, implement access controls restricting /api/v1/add/mailbox endpoint to essential administrators only and disable quarantine_notify.py scheduled job if operationally feasible. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today