CVE-2026-40875

Name of the Vulnerable Software and Affected Versions mailcow: dockerized versions prior to 2026-03b

Description The user dashboard's login history, specifically the Seen successful connections section, fails to perform HTML escaping on the client IP rendered from login logs. Since the server relies on the 'X-Real-IP' header to determine the source IP for logging, an attacker can inject HTML or JavaScript into this field. This leads to Self-XSS, which can be combined with Login CSRF to force a victim into an attacker-controlled account and subsequently allow the attacker to read emails from a previously open browser tab.

Recommendations Update to version 2026-03b.