Skip to main content

mailcow dockerized CVE-2026-40872

| EUVDEUVD-2026-24254 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

8
Patch released
Apr 22, 2026 - 21:02 nvd
Patch available
Re-analysis Queued
Apr 22, 2026 - 14:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 21:02 EUVD
Analysis Generated
Apr 21, 2026 - 20:50 vuln.today
CVSS changed
Apr 21, 2026 - 20:22 NVD
9.3 (CRITICAL)
EUVD ID Assigned
Apr 21, 2026 - 20:00 euvd
EUVD-2026-24254
Analysis Generated
Apr 21, 2026 - 20:00 vuln.today
CVE Published
Apr 21, 2026 - 19:14 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability.

AnalysisAI

Stored cross-site scripting in mailcow dockerized versions before 2026-03b enables remote attackers to execute arbitrary JavaScript in admin sessions by injecting malicious code through unauthenticated Autodiscover requests. The payload persists in Redis and triggers when administrators view Autodiscover logs on the admin dashboard. CVSS 9.3 reflects the network attack vector and high cross-scope impact, though exploitation requires admin interaction (UI:P) and no public exploit has been identified at time of analysis.

Technical ContextAI

The vulnerability affects mailcow dockerized (CPE: cpe:2.3:a:mailcow:mailcow-dockerized), an open-source containerized groupware and email suite. The flaw is a classic stored XSS (CWE-79) in the admin dashboard's log viewing functionality. The Autodiscover service, which helps email clients auto-configure settings via XML requests, logs the EMailAddress field to Redis without sanitization. When rendering these logs in the admin interface, the application fails to HTML-escape stored values, allowing script injection. This architectural issue combines unauthenticated write capability (Autodiscover accepts external requests) with privileged read context (admin dashboard), creating a privilege escalation pathway from anonymous to admin-level execution.

RemediationAI

Upgrade immediately to mailcow dockerized version 2026-03b or later, which implements HTML escaping for EMailAddress values in Autodiscover log rendering per vendor advisory at https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72-rcgm. For environments unable to patch immediately, implement network-level controls to restrict Autodiscover endpoint access to trusted IP ranges only (typically internal networks or VPN), though this may disrupt legitimate auto-configuration for remote users. Alternatively, configure Redis key expiration policies to limit log retention duration, reducing exposure window, but this does not prevent exploitation and only shortens payload persistence. Review existing Autodiscover logs for suspicious EMailAddress entries containing HTML tags or JavaScript before and after remediation. No workaround fully mitigates the vulnerability-upgrade is the only complete remediation.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Share

CVE-2026-40872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy