CVE-2026-40878

LOW NUCLEI

mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

Title source: cna

Exploitation Summary

CVE-2026-40878 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.

Nuclei Templates (1)

Mailcow < 2026-03b - Href Link Injection

LOWVERIFIEDby ritikchaddha

Shodan: http.favicon.hash:2146763496

FOFA: title="mailcow"

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-xv9r-j862-5hqf

Scores

CVSS v4 2.1

EPSS 0.0080

EPSS Percentile 51.9%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

mailcow/mailcow-dockerized < 2026-03b

Published Apr 21, 2026

Tracked Since Apr 22, 2026