CVE-2026-7460

Name of the Vulnerable Software and Affected Versions mailcow-dockerized version 2026-03b

Description A stored cross-site scripting issue exists in the administrator Queue Manager. The Queue Manager retrieves mail queue entries from the endpoint '/api/v1/get/mailq/all' and copies server-controlled Postfix queue fields into DataTables rows. Several of these fields are rendered as HTML without adequate output encoding, allowing for the execution of malicious scripts.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.