Name of the Vulnerable Software and Affected Versions:

mailcow: dockerized versions prior to 2025-07

Description:

A Server-Side Template Injection (SSTI) vulnerability exists in the notification template system used for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. Exploitation requires admin-level access to the mailcow UI to configure templates, which are automatically rendered during normal system operation.

Recommendations:

Update to version 2025-07 or later.