Vulnerability Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability.
Related Weaknesses (CWE)
References
- https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72
- https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72
FAQ
What is CVE-2026-40872?
CVE-2026-40872 is a documented vulnerability. mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" ...
How severe is CVE-2026-40872?
CVSS scoring is not yet available for CVE-2026-40872. Check NVD for updates.
Is there a patch for CVE-2026-40872?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.