{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40878", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-21T19:21:56.837Z", "dateUpdated": "2026-04-21T19:21:56.837Z"}, "containers": {"cna": {"title": "mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-xv9r-j862-5hqf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-xv9r-j862-5hqf"}], "affected": [{"vendor": "mailcow", "product": "mailcow-dockerized", "versions": [{"version": "< 2026-03b", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:21:56.837Z"}, "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability."}], "source": {"advisory": "GHSA-xv9r-j862-5hqf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability."}], "id": "CVE-2026-40878", "lastModified": "2026-04-21T20:17:01.403", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:01.403", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-xv9r-j862-5hqf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026-03b)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "mailcow-dockerized", "source": "cna", "vendor": "mailcow"}, "product": "mailcow_dockerized", "vendor": "mailcow"}], "analysis": {"en": {"generated_at": "2026-04-22T05:28:57.887604+00:00", "value": {"mitigation_remediation": ["Upgrade mailcow-dockerized to v2026\u201103b or later, which removes the unsafe rendering of REQUEST_URI.", "If upgrading is not immediately possible, temporarily strip or encode $_SERVER['REQUEST_URI'] before passing it to Twig, or modify base.twig to use the \"js\" escape strategy for the string literal. This removes the reflection path for malicious inputs.", "Apply a temporary firewall rule or URL rewrite to reject or sanitize requests containing query parameters that encode JavaScript payloads targeting the login page."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (reflected)"}, "threat_synthesis": {"affected_systems": "The issue affects any installed instance of mailcow-dockerized version 2026\u201103b and earlier. The affected component is the base.twig template in the mailcow web interface. The vendor has released patch 2026\u201103b which eliminates the erroneous rendering of the request URI.", "description_and_impact": "A reflected parameter injection flaw was discovered in the mailcow-dockerized web interface. When the login page is accessed, the raw request URI is passed to Twig as a global variable and rendered inside a JavaScript string literal. Because the default HTML escaping is used instead of JavaScript escaping, an attacker can embed malicious script content that will execute in the victim\u2019s browser. The vulnerability allows an attacker to inject arbitrary JavaScript that runs with the privileges of the page, potentially facilitating credential theft, session hijacking, or other cross\u2011site attacks. The weakness is a classic reflected XSS, mapped to CWE\u201179.", "risk_and_exploitability": "The CVSS score is 2.1, indicating a low severity if mitigated, but the vulnerability could be abused if an attacker successfully lures an administrator or user to a crafted URL. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation data. The attack vector is reflected; the attacker must supply a URL that contains the malicious payload, and the victim must open the link in a browser that renders the login page. No authentication or privileged state is required for the exploit to be triggered. Consequently, while the risk is low in the absence of social\u2011engineering campaigns, the flaw still warrants immediate patching to eliminate the XSS surface."}}}}, "created": "2026-04-22T04:15:07.395876+00:00", "updated": "2026-04-22T05:30:09.560124+00:00", "vendors": ["mailcow", "mailcow$PRODUCT$mailcow_dockerized"]}