cbcvebase.

Mailcow Mailcow-Dockerized vulnerabilities

21 known vulnerabilities affecting mailcow/mailcow-dockerized.

Total CVEs
21
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH12MEDIUM6LOW2

Vulnerabilities

Page 1 of 2
CVE-2025-25198P2HIGHCVSS 8.8PoCfixed in 2025-01a2025-02-12
CVE-2025-25198 [HIGH] CWE-601 CVE-2025-25198: mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-0 mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poi
nvd
CVE-2026-40871P2HIGHCVSS 7.2fixed in 2026-03b2026-04-21
CVE-2026-40871 [HIGH] CWE-20 CVE-2026-40871: mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026- mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, wh
nvd
CVE-2023-26490P2HIGHCVSS 8.8fixed in 2023-032023-03-04
CVE-2023-26490 [HIGH] CWE-78 CVE-2023-26490: mailcow is a dockerized email package, with multiple containers linked in one bridged network. The S mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to obtain shell access to the Docker container running dove
nvd
CVE-2022-31138P2HIGHCVSS 8.8fixed in 2022-06a2022-07-11
CVE-2022-31138 [HIGH] CWE-78 CVE-2022-31138: mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege v mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instance
nvd
CVE-2023-34108P3HIGHCVSS 8.8fixed in 2023-05a2023-06-07
CVE-2023-34108 [HIGH] CWE-78 CVE-2023-34108: mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provid mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI for user/server administration. A vulnerability has been discovered in mailcow which allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process. The issue arises f
nvd
CVE-2026-40873P3HIGHCVSS 8.9fixed in 2026-03b2026-04-21
CVE-2026-40873 [HIGH] CWE-79 CVE-2026-40873: mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 20 mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScrip
nvd
CVE-2024-30270P3MEDIUMCVSS 6.2fixed in 2024-042024-04-04
CVE-2024-30270 [MEDIUM] CWE-22 CVE-2024-30270: mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerabilit mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting the `rspamd_maps()` function. It allows authenticated admin users to overwr
nvd
CVE-2026-40872P3CRITICALCVSS 9.3fixed in 2026-03b2026-04-21
CVE-2026-40872 [CRITICAL] CWE-79 CVE-2026-40872: mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 20 mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is sto
nvd
CVE-2024-41958P3HIGHCVSS 7.2fixed in 2024-072024-08-05
CVE-2024-41958 [HIGH] CWE-697 CVE-2024-41958: mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has bee mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, th
nvd
CVE-2025-53909P3HIGHCVSS 7.2fixed in 2025-072025-07-17
CVE-2025-53909 [HIGH] CWE-1336 CVE-2025-53909: mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code
nvd
CVE-2024-24760P3HIGHCVSS 7.3fixed in 2024-01c2024-02-02
CVE-2024-24760 [HIGH] CWE-610 CVE-2024-24760: mailcow is a dockerized email package, with multiple containers linked in one bridged network. A sec mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnera
nvd
CVE-2022-39258P3HIGHCVSS 8.2fixed in 2022-092022-09-27
CVE-2022-39258 [HIGH] CWE-200 CVE-2022-39258: mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to cr mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2
nvd
CVE-2026-40878P4LOWCVSS 2.1PoCfixed in 2026-03b2026-04-21
CVE-2026-40878 [LOW] CWE-79 CVE-2026-40878: mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 20 mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping inste
nvd
CVE-2026-7460P3HIGHCVSS 7.4v2026-03b2026-05-20
CVE-2026-7460 [HIGH] CWE-79 CVE-2026-7460: mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue M mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding. This issue affects mailcow-
nvd
CVE-2026-40874P3MEDIUMCVSS 6.0fixed in 2026-03b2026-04-21
CVE-2026-40874 [MEDIUM] CWE-284 CVE-2026-40874: mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 20 mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the ma
nvd
CVE-2026-40875P3HIGHCVSS 7.0fixed in 2026-03b2026-04-21
CVE-2026-40875 [HIGH] CWE-79 CVE-2026-40875: mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 20 mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this
nvd
CVE-2024-31204P4MEDIUMCVSS 6.1fixed in 2024-042024-04-04
CVE-2024-31204 [MEDIUM] CWE-79 CVE-2024-31204: mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerabilit mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sa
nvd
CVE-2024-41959P4MEDIUMCVSS 6.1fixed in 2024-072024-08-05
CVE-2024-41959 [MEDIUM] CWE-79 CVE-2024-41959: mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated atta mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actio
nvd
CVE-2023-49077P4MEDIUMCVSS 6.1fixed in 2023-112023-11-30
CVE-2023-49077 [MEDIUM] CWE-79 CVE-2023-49077: Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaS
nvd
CVE-2024-41960P4MEDIUMCVSS 4.8fixed in 2024-072024-08-05
CVE-2024-41960 [MEDIUM] CWE-79 CVE-2024-41960: mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead
nvd
Mailcow Mailcow-Dockerized vulnerabilities | cvebase