CVE-2026-7460

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the administrator Queue Manager of mailcow-dockerized version 2026-03b. The Queue Manager retrieves mail queue entries from the /api/v1/get/mailq/all endpoint, which returns JSON data from Postfix queue fields. The admin UI at /admin/queue (via data/web/js/site/queue.js) copies untrusted fields — specifically sender, queue_name, and queue_id — directly into DataTables rows without adequate HTML output encoding. While the recipients field is escaped using escapeHtml and message content is rendered via .text(), the sender, queue name, and queue ID are assigned as raw HTML, leading to execution [1]. DataTables renders these display values as HTML unless a text render is specified, and encodeURI used on queue_id does not provide HTML-attribute protection [1].

Exploitation

An attacker who can cause a crafted message to remain in the Postfix queue — for example, by sending an email with a malicious envelope sender address or by manipulating queue metadata in another way — can embed arbitrary HTML and JavaScript in the sender, queue_name, or queue_id fields. When an authenticated administrator visits the Queue Manager page, DataTables writes the unescaped values into table cells using innerHTML, causing the attacker-supplied script to execute in the administrator's browser context. The vulnerable source is the API at data/web/json_api.php:562-568 and data/web/inc/functions.mailq.inc.php:49-77, which does not escape queue data because it returns JSON [1]. No user interaction beyond the administrator opening the Queue Manager is required.

Impact

A successful XSS attack allows the attacker to execute arbitrary JavaScript in the context of the administrator's session. This can lead to theft of session cookies, impersonation of the administrator, modification of mailcow settings, disclosure of internal data, or further compromise of the mail server. The attacker achieves persistent cross-site scripting at the privilege level of the administrator, with no additional authentication steps required beyond the initial injection into the mail queue [1].

Mitigation

As of the provided references, no fixed version has been released. The vulnerability is present in mailcow-dockerized 2026-03b. Users should monitor the official GitHub repository [2] or security channels for a patch. A workaround is to limit administrative access to the Queue Manager to trusted IPs or to disable the Queue Manager feature if not essential, though no specific workaround is documented in the advisory. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].