HTML Injection Vulnerability in mailcow: dockerized Email Suite by Mailcow
CVE-2026-40873

8.9HIGH

Key Information:

Vendor: Mailcow
Status: Mailcow-dockerized
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40873?

mailcow: dockerized, an open-source groupware and email suite, suffers from an HTML injection vulnerability due to improper handling of attachment filenames in the Quarantine details modal. When an administrator views a quarantined item, the system injects unescaped attachment names into the HTML, which can lead to the execution of arbitrary JavaScript. This could allow an attacker to take control of the admin's account if a malicious email with a crafted attachment name is delivered. The issue has been addressed in version 2026-03b.

Affected Version(s)

mailcow-dockerized < 2026-03b

References

https://github.com/mailcow/mailcow-dockerized/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40873 Data

JSON