Stored Cross-Site Scripting Vulnerability in Mailcow Email Suite
CVE-2026-40872

9.3CRITICAL

Key Information:

Vendor: Mailcow
Status: Mailcow-dockerized
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40872?

The Mailcow: Dockerized email suite contains a stored cross-site scripting (XSS) vulnerability in its admin dashboard. Specifically, the Autodiscover logs improperly render the 'user' field containing EMailAddress values without proper HTML escaping. This flaw allows an attacker to submit an unauthenticated Autodiscover request with a specially crafted EMailAddress. When this payload is logged in Redis and an admin subsequently views the Autodiscover logs, the malicious script can be executed, potentially compromising the admin's session. The issue has been addressed in version 2026-03b.

Affected Version(s)

mailcow-dockerized < 2026-03b

References

https://github.com/mailcow/mailcow-dockerized/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40872 Data

JSON