Skip to main content

mailcow-dockerized EUVDEUVD-2026-31048

| CVE-2026-7460 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-20 Fluid Attacks GHSA-4wpv-p8hj-wr36
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 20, 2026 - 06:00 vuln.today
CVSS changed
May 20, 2026 - 04:22 NVD
7.4 (HIGH)
CVE Published
May 20, 2026 - 02:19 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding.

This issue affects mailcow-dockerized: 2026-03b.

AnalysisAI

Stored cross-site scripting in the mailcow-dockerized administrator Queue Manager allows attackers who can influence Postfix queue metadata to inject HTML/JavaScript that executes in an authenticated administrator's browser. The flaw exists because the /api/v1/get/mailq/all endpoint feeds server-controlled queue fields into DataTables rows that are rendered as HTML without sufficient output encoding. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

mailcow-dockerized is a popular Dockerised mail server stack bundling Postfix, Dovecot, SOGo, Rspamd and a PHP-based administrative UI. The Queue Manager component in the admin UI calls the internal API endpoint /api/v1/get/mailq/all to enumerate messages currently held by Postfix and renders them through the DataTables jQuery plugin. Because several of those columns (sender, recipient, subject, error reason and similar Postfix-derived strings) are rendered with HTML rather than text and the values are not adequately encoded, this is a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS - the malicious payload is persisted in the Postfix queue state and replayed each time an administrator opens the Queue Manager view. The affected CPE is cpe:2.3:a:mailcow:mailcow-dockerized:*:*:*:*:*:*:*:*, with the EUVD record (EUVD-2026-31048) explicitly naming build 2026-03b.

RemediationAI

No vendor-released patch identified at time of analysis; the references point only to the Fluid Attacks advisory (https://fluidattacks.com/advisories/mojabi) and the upstream repository (https://github.com/mailcow/mailcow-dockerized), so administrators should monitor the mailcow-dockerized release feed and apply the next tagged build that supersedes 2026-03b. Until a fix is available, restrict access to the mailcow administrative UI to a trusted management network or VPN (this is a defense in depth measure that does not eliminate the bug but greatly reduces who can be phished into opening the Queue Manager), avoid loading the Queue Manager view on accounts that hold full admin privileges where possible, and consider clearing the Postfix queue (postsuper -d ALL) if suspicious entries are observed - noting that this destroys legitimate undelivered mail. A web application firewall rule that strips or HTML-encodes <, >, and quote characters in responses from /api/v1/get/mailq/all can provide stop-gap mitigation but may break the Queue Manager UI for legitimate Unicode subjects.

Share

EUVD-2026-31048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy