Mailcow
Products
2- 23 CVEs
- 4 CVEs
Recent CVEs
24| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40872 | Cri | 0.60 | — | 0.00 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover… | ||
| CVE-2017-8928 | Hig | 0.60 | 8.8 | 0.02 | May 14, 2017 | mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF. | ||
| CVE-2026-40873 | Hig | 0.58 | — | 0.00 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted… | ||
| CVE-2026-7460 | Hig | 0.48 | — | 0.00 | May 20, 2026 | mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those… | ||
| CVE-2026-40871 | Hig | 0.47 | 7.2 | 0.10 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without… | ||
| CVE-2026-40875 | Hig | 0.46 | — | 0.00 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP… | ||
| CVE-2024-56529 | Hig | 0.46 | 7.1 | 0.00 | Jan 28, 2025 | Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote… | ||
| CVE-2026-40874 | Med | 0.39 | — | 0.00 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied… | ||
| CVE-2026-40878 | Low | 0.14 | — | 0.01 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the… | ||
| CVE-2024-30270 | 0.04 | — | 0.27 | Apr 4, 2024 | mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting… | |||
| CVE-2025-25198 | 0.03 | — | 0.01 | Feb 12, 2025 | mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an… | |||
| CVE-2022-31245 | 0.02 | — | 0.05 | May 20, 2022 | mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs. | |||
| CVE-2023-26490 | 0.01 | — | 0.02 | Mar 3, 2023 | mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse… | |||
| CVE-2025-53909 | 0.00 | — | 0.00 | Jul 17, 2025 | mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template… | |||
| CVE-2024-41960 | 0.00 | — | 0.00 | Aug 5, 2024 | mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to… | |||
| CVE-2024-41959 | 0.00 | — | 0.00 | Aug 5, 2024 | mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in… | |||
| CVE-2024-41958 | 0.00 | — | 0.01 | Aug 5, 2024 | mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other… | |||
| CVE-2024-31204 | 0.00 | — | 0.08 | Apr 4, 2024 | mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE.… | |||
| CVE-2024-24760 | 0.00 | — | 0.01 | Feb 2, 2024 | mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of… | |||
| CVE-2024-23824 | 0.00 | — | 0.01 | Feb 2, 2024 | mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is… |
- risk 0.60cvss —epss 0.00
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover…
- risk 0.60cvss 8.8epss 0.02
mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF.
- risk 0.58cvss —epss 0.00
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted…
- risk 0.48cvss —epss 0.00
mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those…
- risk 0.47cvss 7.2epss 0.10
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without…
- risk 0.46cvss —epss 0.00
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP…
- risk 0.46cvss 7.1epss 0.00
Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote…
- risk 0.39cvss —epss 0.00
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied…
- risk 0.14cvss —epss 0.01
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the…
- CVE-2024-30270Apr 4, 2024risk 0.04cvss —epss 0.27
mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting…
- CVE-2025-25198Feb 12, 2025risk 0.03cvss —epss 0.01
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an…
- CVE-2022-31245May 20, 2022risk 0.02cvss —epss 0.05
mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.
- CVE-2023-26490Mar 3, 2023risk 0.01cvss —epss 0.02
mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse…
- CVE-2025-53909Jul 17, 2025risk 0.00cvss —epss 0.00
mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template…
- CVE-2024-41960Aug 5, 2024risk 0.00cvss —epss 0.00
mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to…
- CVE-2024-41959Aug 5, 2024risk 0.00cvss —epss 0.00
mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in…
- CVE-2024-41958Aug 5, 2024risk 0.00cvss —epss 0.01
mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other…
- CVE-2024-31204Apr 4, 2024risk 0.00cvss —epss 0.08
mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE.…
- CVE-2024-24760Feb 2, 2024risk 0.00cvss —epss 0.01
mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of…
- CVE-2024-23824Feb 2, 2024risk 0.00cvss —epss 0.01
mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is…