CVE-2026-40873

CVSS v4.0

8.9

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N

Name of the Vulnerable Software and Affected Versions mailcow: dockerized versions prior to 2026-03b

Description The Quarantine details modal injects attachment filenames into HTML without escaping, which allows arbitrary HTML and JavaScript execution. An attacker can send an email with a specially crafted attachment name; when an administrator views the quarantined item, the JavaScript executes in their browser, potentially leading to account takeover.

Recommendations Update to version 2026-03b.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80CWE-79

Related Identifiers

CVE-2026-40873

Affected Products

Mailcow

CVE-2026-40873

Weakness Enumeration

Related Identifiers

Affected Products

References · 3