CVE-2026-40875
Stored XSS via Unescaped IP in mailcow Login History
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mailcow | mailcow_dockerized | 2026-03b |
| mailcow | dockerized | to 2026-03b (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade mailcow-dockerized to version 2026-03b or later, where the vulnerability is fixed by properly escaping the real_rip parameter in the HTML output.
Until the upgrade can be applied, consider implementing network-level filtering or web application firewall (WAF) rules to block or sanitize incoming HTTP requests with suspicious X-Real-IP header values containing HTML or JavaScript.
Additionally, educate users about the risks of Login CSRF attacks and encourage cautious behavior when clicking on unknown links that could trigger forced logins.
Can you explain this vulnerability to me?
CVE-2026-40875 is a stored Cross-Site Scripting (XSS) vulnerability in the mailcow-dockerized package versions prior to 2026-03b. It occurs because the user dashboard's "Seen successful connections" (login history) feature displays the client IP address from login logs without properly escaping HTML.
The server trusts the X-Real-IP HTTP header as the source IP for logging without validation or sanitization, allowing an attacker to inject arbitrary HTML or JavaScript code into this field.
An attacker can log into their own account with a malicious X-Real-IP header containing HTML/JS code, which gets stored and rendered in the login history. Then, by using a Login Cross-Site Request Forgery (Login CSRF), the attacker can force a victim to log into the attackerβs account, causing the malicious script to execute in the victimβs browser.
This exploit enables the attacker to read sensitive information visible to the victim, such as emails from a previously opened mailbox tab, by leveraging the browserβs opener.document object.
The vulnerability is fixed in version 2026-03b by properly escaping the HTML output of the IP address.
How can this vulnerability impact me? :
This vulnerability allows any authenticated attacker to execute stored XSS in other usersβ browsers by injecting malicious IP values into the login history.
As a result, the attacker can disclose sensitive email content, including password reset tokens or links, which could lead to account takeover.
The attack requires user interaction and has a high complexity, but once exploited, it can compromise the confidentiality of user emails and potentially other sensitive data accessible through the victimβs browser session.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the mailcow-dockerized instance is running a version prior to 2026-03b and by inspecting the login history for suspicious or malformed X-Real-IP header values that contain HTML or JavaScript code.
Since the vulnerability arises from the server trusting the X-Real-IP HTTP header without sanitization, you can monitor HTTP login requests for unusual or suspicious X-Real-IP header values that include HTML or script tags.
Suggested commands to detect potential exploitation attempts or presence of malicious headers might include:
- Using tcpdump or tshark to capture HTTP login requests and filter for X-Real-IP headers containing suspicious characters, e.g.:
- tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'X-Real-IP'
- Or using grep on server logs to find X-Real-IP headers with HTML tags or JavaScript payloads, e.g.:
- grep -i 'X-Real-IP' /var/log/mailcow/* | grep -E '<|>|script|onload|alert'
Additionally, verifying the mailcow-dockerized version can help detect if the system is vulnerable:
- Check the installed version against 2026-03b to confirm if the fix is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute stored Cross-Site Scripting (XSS) attacks that can lead to the disclosure of sensitive email content, including password reset tokens or links, potentially enabling account takeover.
Such unauthorized disclosure of sensitive personal data and potential account compromise could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, the vulnerability poses a risk to maintaining confidentiality and integrity of user data, which are core requirements in these common standards and regulations.