CVE-2026-40873
Received Received - Intake
Stored XSS in mailcow Quarantine Modal Enables Account Takeover

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40873
EUVD
EUVD-2026-24255
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mailcow mailcow_dockerized to 2026-03b (exc)
mailcow dockerized to 2026-03b (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40873 is a Stored Cross-Site Scripting (XSS) vulnerability in the mailcow-dockerized package, affecting versions prior to 2026-03b.

The flaw exists in the Quarantine details modal where attachment filenames are injected into the HTML without proper escaping. This allows an attacker to craft an email with a malicious attachment filename containing arbitrary HTML or JavaScript code.

When an administrator views the quarantine item and its attachments, the injected script executes in the administrator's browser, potentially leading to full account takeover.

Technically, the vulnerability arises from unsafe insertion of the attachment filename into the HTML in the JavaScript file handling the quarantine modal, enabling injection of payloads such as <img src=x onerror=alert(origin)>.

Impact Analysis

This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in the context of the mailcow web interface as an administrator.

As a result, an attacker can fully compromise the mailcow instance, including reading all user mailboxes and performing actions such as password resets on other services.

The impact includes high confidentiality, integrity, and availability risks on the vulnerable system and any connected systems.

Detection Guidance

This vulnerability can be detected by identifying emails in the mailcow quarantine that contain attachment filenames with malicious HTML or JavaScript code. Since the exploit involves crafted attachment names that execute scripts when viewed, detection involves inspecting quarantined emails for suspicious attachment names.

One practical approach is to send a test email with a crafted attachment filename containing a known XSS payload (e.g., <img src=x onerror=alert(origin)>) to your mailcow instance and then check if the quarantine details modal executes the script when viewed by an administrator.

For automated detection, you can query the quarantine database or logs for attachment filenames containing suspicious characters such as <, >, or JavaScript event handlers like onerror, onclick, etc.

Specific commands are not provided in the resources, but general commands to inspect quarantined emails or logs might include:

  • Using mailcow's API or database queries to list quarantined emails and their attachment filenames.
  • Using grep or similar tools to search for suspicious patterns in quarantine logs or mail storage, e.g., grep -r '<img' /path/to/mailcow/quarantine
  • Sending test emails with crafted attachment names via SMTP to trigger the vulnerability and observe behavior.
Mitigation Strategies

The immediate mitigation step is to upgrade mailcow-dockerized to version 2026-03b or later, where the vulnerability has been fixed by properly escaping attachment filenames before inserting them into the HTML.

Until the upgrade can be applied, administrators should avoid viewing the quarantine details modal for suspicious emails with attachments, as viewing triggers the XSS execution.

Additionally, consider restricting access to the mailcow web interface to trusted administrators only and monitor quarantine items closely for suspicious attachment names.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary JavaScript in the context of the mailcow web interface as an administrator, potentially leading to full compromise of the mailcow instance. This includes unauthorized access to all user mailboxes and the ability to perform actions such as password resets on other services.

Such unauthorized access and control over user data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure or modification.

Therefore, this vulnerability poses a significant risk to compliance with these regulations by compromising confidentiality, integrity, and availability of sensitive email data managed by the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart