HIGHCVE-2026-7460Published 2026-05-20Modified 2026-05-20CNA Fluid Attacks

CVE-2026-7460: mailcow-dockerized 2026-03b - Stored XSS in Queue Manager via unescaped

mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding. This issue affects mailcow-dockerized: 2026-03b.

CVSS v4.0: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

mailcow / mailcow-dockerized
2026-03b

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

References

fluidattacks.com
github.com

Metrics