CVE-2026-40872

Name of the Vulnerable Software and Affected Versions mailcow: dockerized versions prior to 2026-03b

Description The admin dashboard Autodiscover logs fail to perform HTML escaping on the EMailAddress value, which is logged as the user field. An unauthenticated attacker can submit a crafted Autodiscover request containing HTML or JavaScript in the EMailAddress parameter. This payload is stored in Redis and subsequently executed in the browser of an administrator who views the Autodiscover logs. This is a Stored Cross-Site Scripting (XSS) issue, where a malicious script is permanently stored on the target server.

Recommendations Update to version 2026-03b.