{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40873", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.718Z", "datePublished": "2026-04-21T19:15:39.046Z", "dateUpdated": "2026-04-21T19:39:19.981Z"}, "containers": {"cna": {"title": "mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp"}], "affected": [{"vendor": "mailcow", "product": "mailcow-dockerized", "versions": [{"version": "< 2026-03b", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:15:39.046Z"}, "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability."}], "source": {"advisory": "GHSA-2xjc-rg88-jvpp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:39:14.654574Z", "id": "CVE-2026-40873", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:39:19.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40873", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T19:39:14.654574Z"}}}], "references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:39:09.220Z"}}], "cna": {"title": "mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames", "source": {"advisory": "GHSA-2xjc-rg88-jvpp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mailcow", "product": "mailcow-dockerized", "versions": [{"status": "affected", "version": "< 2026-03b"}]}], "references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp", "name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:15:39.046Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40873", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:39:19.981Z", "dateReserved": "2026-04-15T15:57:41.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:15:39.046Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability."}], "id": "CVE-2026-40873", "lastModified": "2026-04-22T21:02:31.267", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:00.820", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026-03b)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "mailcow-dockerized", "source": "cna", "vendor": "mailcow"}, "product": "mailcow_dockerized", "vendor": "mailcow"}], "analysis": {"en": {"generated_at": "2026-04-22T06:45:27.103446+00:00", "value": {"mitigation_remediation": ["Upgrade mailcow\u2011dockerized to version 2026\u201103b or later, which eliminates the unescaped rendering of attachment filenames.", "If possible, disable or restrict the Quarantine interface for untrusted mail until the upgrade is completed.", "Configure a strict content\u2011security\u2011policy header on the web admin interface to block inline JavaScript, reducing the risk of XSS exploitation."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows an attacker to execute arbitrary JavaScript in a web admin\u2019s browser, leading to account takeover"}, "threat_synthesis": {"affected_systems": "The flaw affects the mailcow\u2011dockerized suite. Any deployment of the open source groupware/email system that has not upgraded beyond the 2026\u201103b release is vulnerable.", "description_and_impact": "In mailcow\u2011dockerized versions before 2026\u201103b, the Quarantine details modal injects attachment filenames directly into the page\u2019s HTML without escaping. An attacker can craft an email with a malicious attachment name, and when an administrator opens the quarantine record, the browser executes the injected code. This results in a complete compromise of the administrator\u2019s account and any privileges the web interface confers.", "risk_and_exploitability": "The CVSS score of 8.9 indicates high severity. The EPSS score is not available, but the vulnerability is known to be actionable and is not yet listed in CISA\u2019s KEV catalog, suggesting exploitation is possible yet not widely observed. Likely attack vectors involve the attacker sending a crafted email and the administrator subsequently viewing the quarantine modal in a browser."}}}}, "created": "2026-04-22T07:00:12.116745+00:00", "updated": "2026-04-22T11:45:48.863560+00:00", "vendors": ["mailcow", "mailcow$PRODUCT$mailcow_dockerized"]}