cbcvebase.
CVE-2026-7460
published 2026-05-20

CVE-2026-7460: mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from…

PriorityP338high7.4CVSS 4.0
AVNACLATPPRLUIPVCHVIHVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
23.7th percentile
mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding. This issue affects mailcow-dockerized: 2026-03b.

Affected

1 ranges
VendorProductVersion rangeFixed in
mailcowmailcow-dockerized
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.