Critical severityNVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-40872

Description

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability.

Affected products

Mailcow/Mailcow Dockerizedinferred
Range: <2026-03b

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72-rcgmnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000