CVE-2026-40875
Received Received - Intake
Stored XSS via Unescaped IP in mailcow Login History

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40875
EUVD
EUVD-2026-24258
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mailcow mailcow_dockerized 2026-03b
mailcow dockerized to 2026-03b (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade mailcow-dockerized to version 2026-03b or later, where the vulnerability is fixed by properly escaping the real_rip parameter in the HTML output.

Until the upgrade can be applied, consider implementing network-level filtering or web application firewall (WAF) rules to block or sanitize incoming HTTP requests with suspicious X-Real-IP header values containing HTML or JavaScript.

Additionally, educate users about the risks of Login CSRF attacks and encourage cautious behavior when clicking on unknown links that could trigger forced logins.

Compliance Impact

This vulnerability allows an attacker to execute stored Cross-Site Scripting (XSS) attacks that can lead to the disclosure of sensitive email content, including password reset tokens or links, potentially enabling account takeover.

Such unauthorized disclosure of sensitive personal data and potential account compromise could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, the vulnerability poses a risk to maintaining confidentiality and integrity of user data, which are core requirements in these common standards and regulations.

Executive Summary

CVE-2026-40875 is a stored Cross-Site Scripting (XSS) vulnerability in the mailcow-dockerized package versions prior to 2026-03b. It occurs because the user dashboard's "Seen successful connections" (login history) feature displays the client IP address from login logs without properly escaping HTML.

The server trusts the X-Real-IP HTTP header as the source IP for logging without validation or sanitization, allowing an attacker to inject arbitrary HTML or JavaScript code into this field.

An attacker can log into their own account with a malicious X-Real-IP header containing HTML/JS code, which gets stored and rendered in the login history. Then, by using a Login Cross-Site Request Forgery (Login CSRF), the attacker can force a victim to log into the attacker’s account, causing the malicious script to execute in the victim’s browser.

This exploit enables the attacker to read sensitive information visible to the victim, such as emails from a previously opened mailbox tab, by leveraging the browser’s opener.document object.

The vulnerability is fixed in version 2026-03b by properly escaping the HTML output of the IP address.

Impact Analysis

This vulnerability allows any authenticated attacker to execute stored XSS in other users’ browsers by injecting malicious IP values into the login history.

As a result, the attacker can disclose sensitive email content, including password reset tokens or links, which could lead to account takeover.

The attack requires user interaction and has a high complexity, but once exploited, it can compromise the confidentiality of user emails and potentially other sensitive data accessible through the victim’s browser session.

Detection Guidance

This vulnerability can be detected by checking if the mailcow-dockerized instance is running a version prior to 2026-03b and by inspecting the login history for suspicious or malformed X-Real-IP header values that contain HTML or JavaScript code.

Since the vulnerability arises from the server trusting the X-Real-IP HTTP header without sanitization, you can monitor HTTP login requests for unusual or suspicious X-Real-IP header values that include HTML or script tags.

Suggested commands to detect potential exploitation attempts or presence of malicious headers might include:

  • Using tcpdump or tshark to capture HTTP login requests and filter for X-Real-IP headers containing suspicious characters, e.g.:
  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'X-Real-IP'
  • Or using grep on server logs to find X-Real-IP headers with HTML tags or JavaScript payloads, e.g.:
  • grep -i 'X-Real-IP' /var/log/mailcow/* | grep -E '<|>|script|onload|alert'

Additionally, verifying the mailcow-dockerized version can help detect if the system is vulnerable:

  • Check the installed version against 2026-03b to confirm if the fix is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart