CVE-2026-40873
Stored XSS in mailcow Quarantine Modal Enables Account Takeover
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mailcow | mailcow_dockerized | to 2026-03b (exc) |
| mailcow | dockerized | to 2026-03b (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary JavaScript in the context of the mailcow web interface as an administrator, potentially leading to full compromise of the mailcow instance. This includes unauthorized access to all user mailboxes and the ability to perform actions such as password resets on other services.
Such unauthorized access and control over user data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure or modification.
Therefore, this vulnerability poses a significant risk to compliance with these regulations by compromising confidentiality, integrity, and availability of sensitive email data managed by the affected system.
Can you explain this vulnerability to me?
CVE-2026-40873 is a Stored Cross-Site Scripting (XSS) vulnerability in the mailcow-dockerized package, affecting versions prior to 2026-03b.
The flaw exists in the Quarantine details modal where attachment filenames are injected into the HTML without proper escaping. This allows an attacker to craft an email with a malicious attachment filename containing arbitrary HTML or JavaScript code.
When an administrator views the quarantine item and its attachments, the injected script executes in the administrator's browser, potentially leading to full account takeover.
Technically, the vulnerability arises from unsafe insertion of the attachment filename into the HTML in the JavaScript file handling the quarantine modal, enabling injection of payloads such as <img src=x onerror=alert(origin)>.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in the context of the mailcow web interface as an administrator.
As a result, an attacker can fully compromise the mailcow instance, including reading all user mailboxes and performing actions such as password resets on other services.
The impact includes high confidentiality, integrity, and availability risks on the vulnerable system and any connected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying emails in the mailcow quarantine that contain attachment filenames with malicious HTML or JavaScript code. Since the exploit involves crafted attachment names that execute scripts when viewed, detection involves inspecting quarantined emails for suspicious attachment names.
One practical approach is to send a test email with a crafted attachment filename containing a known XSS payload (e.g., <img src=x onerror=alert(origin)>) to your mailcow instance and then check if the quarantine details modal executes the script when viewed by an administrator.
For automated detection, you can query the quarantine database or logs for attachment filenames containing suspicious characters such as <, >, or JavaScript event handlers like onerror, onclick, etc.
Specific commands are not provided in the resources, but general commands to inspect quarantined emails or logs might include:
- Using mailcow's API or database queries to list quarantined emails and their attachment filenames.
- Using grep or similar tools to search for suspicious patterns in quarantine logs or mail storage, e.g., grep -r '<img' /path/to/mailcow/quarantine
- Sending test emails with crafted attachment names via SMTP to trigger the vulnerability and observe behavior.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade mailcow-dockerized to version 2026-03b or later, where the vulnerability has been fixed by properly escaping attachment filenames before inserting them into the HTML.
Until the upgrade can be applied, administrators should avoid viewing the quarantine details modal for suspicious emails with attachments, as viewing triggers the XSS execution.
Additionally, consider restricting access to the mailcow web interface to trusted administrators only and monitor quarantine items closely for suspicious attachment names.