Impact Analysis

This vulnerability can allow an attacker to execute malicious scripts in the administrator's browser session.

• The attacker can read sensitive data accessible to the administrator.
• They may perform unauthorized administrative actions.
• The attacker could steal session information, potentially leading to further compromise.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-7460 is a stored cross-site scripting (XSS) vulnerability in the mailcow-dockerized administrator Queue Manager.

The Queue Manager fetches mail queue entries from the API endpoint /api/v1/get/mailq/all and renders several Postfix queue fields such as sender, queue_name, and queue_id as HTML without proper output encoding.

Because these fields are not escaped before display, an attacker who can manipulate queue metadata can inject malicious HTML or JavaScript code.

When an administrator accesses the Queue Manager interface, the injected code executes in their browser session.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the mailcow-dockerized version 2026-03b is in use and if the administrator Queue Manager is accessible at /admin/queue.

Specifically, detection involves verifying whether the API endpoint /api/v1/get/mailq/all is returning mail queue entries that include unescaped HTML or JavaScript in the sender, queue_name, or queue_id fields.

Since the vulnerability is a stored cross-site scripting (XSS) issue triggered by malicious content in these fields, one can attempt to inspect the data returned by the API endpoint for suspicious HTML or script tags.

Suggested commands include using curl or similar tools to fetch the mail queue entries and grep or jq to inspect the fields for suspicious content. For example:

• curl -s -k -H "Authorization: Bearer <token>" https://<mailcow-server>/api/v1/get/mailq/all | grep -iE '<script|<img|<iframe'
• curl -s -k -H "Authorization: Bearer <token>" https://<mailcow-server>/api/v1/get/mailq/all | jq '.[] | {sender, queue_name, queue_id}'

Replace <token> with a valid API token and <mailcow-server> with the server address. These commands help identify if any queue entries contain potentially malicious HTML or JavaScript.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update mailcow-dockerized to a version that includes the security patch released on May 12, 2026.

Since the vulnerability is a stored XSS in the administrator Queue Manager, applying the patch will ensure proper output encoding of the Postfix queue fields and prevent malicious script execution.

Additionally, restrict access to the administrator Queue Manager interface (/admin/queue) to trusted users only, and monitor for suspicious queue entries that may contain malicious payloads.

If immediate patching is not possible, consider temporarily disabling or restricting access to the Queue Manager to prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in mailcow-dockerized's administrator Queue Manager could potentially lead to unauthorized access to sensitive data or administrative actions by attackers. This risk of data exposure or manipulation may impact compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or breaches.

Specifically, if an attacker exploits this vulnerability to steal session information or read sensitive data, it could result in a violation of confidentiality and integrity requirements mandated by these standards.

Useful 0 Not Useful 0