CVE-2026-40875

mailcow: dockerized vulnerable to stored XSS in user login history real_rip

Assigner: GitHub_M
Reserved: 15.04.2026 Published: 21.04.2026 Updated: 21.04.2026

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
CVSS Score: 7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	High	Integrity	None	Integrity	High
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	mailcow
Product	mailcow-dockerized
Versions	Version < 2026-03b is affected

Vendor

mailcow

Product

mailcow-dockerized

Versions

Version < 2026-03b is affected

References

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE

CVE-2026-40875 PUBLISHED

mailcow: dockerized vulnerable to stored XSS in user login history real_rip

Metrics

Product Status

References

Problem Types