EUVD-2026-24255CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability.
AnalysisAI
Stored cross-site scripting (XSS) in mailcow: dockerized (versions prior to 2026-03b) allows remote unauthenticated attackers to execute arbitrary JavaScript in administrator sessions by delivering emails with malicious attachment filenames. When administrators view quarantined emails through the web interface, unsanitized filenames inject into HTML without escaping, triggering automatic JavaScript execution that can compromise administrator accounts. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: inventory all mailcow deployments and document current versions; isolate mailcow administrative interfaces from untrusted networks if feasible. Within 7 days: implement email gateway filtering to block messages with suspicious attachment filenames (special characters, script tags, encoded payloads); configure Content Security Policy headers on the mailcow web interface to restrict inline script execution. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today