Vulnerability Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-40878?
CVE-2026-40878 is a documented vulnerability. mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global templ...
How severe is CVE-2026-40878?
CVSS scoring is not yet available for CVE-2026-40878. Check NVD for updates.
Is there a patch for CVE-2026-40878?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.