Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding.
This issue affects mailcow-dockerized: 2026-03b.
AnalysisAI
Stored cross-site scripting in the mailcow-dockerized administrator Queue Manager allows attackers who can influence Postfix queue metadata to inject HTML/JavaScript that executes in an authenticated administrator's browser. The flaw exists because the /api/v1/get/mailq/all endpoint feeds server-controlled queue fields into DataTables rows that are rendered as HTML without sufficient output encoding. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
mailcow-dockerized is a popular Dockerised mail server stack bundling Postfix, Dovecot, SOGo, Rspamd and a PHP-based administrative UI. The Queue Manager component in the admin UI calls the internal API endpoint /api/v1/get/mailq/all to enumerate messages currently held by Postfix and renders them through the DataTables jQuery plugin. Because several of those columns (sender, recipient, subject, error reason and similar Postfix-derived strings) are rendered with HTML rather than text and the values are not adequately encoded, this is a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS - the malicious payload is persisted in the Postfix queue state and replayed each time an administrator opens the Queue Manager view. The affected CPE is cpe:2.3:a:mailcow:mailcow-dockerized:*:*:*:*:*:*:*:*, with the EUVD record (EUVD-2026-31048) explicitly naming build 2026-03b.
RemediationAI
No vendor-released patch identified at time of analysis; the references point only to the Fluid Attacks advisory (https://fluidattacks.com/advisories/mojabi) and the upstream repository (https://github.com/mailcow/mailcow-dockerized), so administrators should monitor the mailcow-dockerized release feed and apply the next tagged build that supersedes 2026-03b. Until a fix is available, restrict access to the mailcow administrative UI to a trusted management network or VPN (this is a defense in depth measure that does not eliminate the bug but greatly reduces who can be phished into opening the Queue Manager), avoid loading the Queue Manager view on accounts that hold full admin privileges where possible, and consider clearing the Postfix queue (postsuper -d ALL) if suspicious entries are observed - noting that this destroys legitimate undelivered mail. A web application firewall rule that strips or HTML-encodes <, >, and quote characters in responses from /api/v1/get/mailq/all can provide stop-gap mitigation but may break the Queue Manager UI for legitimate Unicode subjects.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31048
GHSA-4wpv-p8hj-wr36