VYPR
Vendor

Mailcow

Products
2
CVEs
24
Across products
27
Status
Private

Products

2

Recent CVEs

24
View all 24 CVEs →
  • CVE-2026-40872CriApr 21, 2026
    risk 0.60cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover…

  • CVE-2017-8928HigMay 14, 2017
    risk 0.60cvss 8.8epss 0.02

    mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF.

  • CVE-2026-40873HigApr 21, 2026
    risk 0.58cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted…

  • CVE-2026-7460HigMay 20, 2026
    risk 0.48cvss epss 0.00

    mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those…

  • CVE-2026-40871HigApr 21, 2026
    risk 0.47cvss 7.2epss 0.10

    mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without…

  • CVE-2026-40875HigApr 21, 2026
    risk 0.46cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP…

  • CVE-2024-56529HigJan 28, 2025
    risk 0.46cvss 7.1epss 0.00

    Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote…

  • CVE-2026-40874MedApr 21, 2026
    risk 0.39cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied…

  • CVE-2026-40878LowApr 21, 2026
    risk 0.14cvss epss 0.01

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the…

  • CVE-2024-30270Apr 4, 2024
    risk 0.04cvss epss 0.27

    mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting…

  • CVE-2025-25198Feb 12, 2025
    risk 0.03cvss epss 0.01

    mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an…

  • CVE-2022-31245May 20, 2022
    risk 0.02cvss epss 0.05

    mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

  • CVE-2023-26490Mar 3, 2023
    risk 0.01cvss epss 0.02

    mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse…

  • CVE-2025-53909Jul 17, 2025
    risk 0.00cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template…

  • CVE-2024-41960Aug 5, 2024
    risk 0.00cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to…

  • CVE-2024-41959Aug 5, 2024
    risk 0.00cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in…

  • CVE-2024-41958Aug 5, 2024
    risk 0.00cvss epss 0.01

    mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other…

  • CVE-2024-31204Apr 4, 2024
    risk 0.00cvss epss 0.08

    mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE.…

  • CVE-2024-24760Feb 2, 2024
    risk 0.00cvss epss 0.01

    mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of…

  • CVE-2024-23824Feb 2, 2024
    risk 0.00cvss epss 0.01

    mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is…