CVE-2026-7460

Vulnerability Description

mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding. This issue affects mailcow-dockerized: 2026-03b.

Related Weaknesses (CWE)

CWE-79

References

https://fluidattacks.com/advisories/mojabi
https://github.com/mailcow/mailcow-dockerized
https://fluidattacks.com/advisories/mojabi

FAQ

What is CVE-2026-7460?

CVE-2026-7460 is a documented vulnerability. mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-contr...

How severe is CVE-2026-7460?

CVSS scoring is not yet available for CVE-2026-7460. Check NVD for updates.

Is there a patch for CVE-2026-7460?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.