EUVD-2026-24258CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionNVD
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability.
AnalysisAI
Cross-site scripting in mailcow dockerized versions prior to 2026-03b enables remote attackers to execute malicious JavaScript in victim browsers through a chained Login CSRF and Self-XSS attack. Exploitation requires low-privileged attacker credentials and victim interaction, but can result in unauthorized access to victim email accounts and session hijacking (CVSS 7.0, AV:N/AC:H/PR:L/UI:P). …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Audit mailcow deployment versions and inventory all instances running versions prior to 2026-03b; disable or restrict access to the login history dashboard until patched. Within 7 days: upgrade to mailcow version 2026-03b or later once released; review access logs for suspicious login history views or X-Real-IP header anomalies. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today