CVE-2026-40878

Summary

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $_SERVER['REQUEST_URI'] to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang() helper of base.twig, relying on Twig's default HTML auto-escaping instead of the context-appropriate js escaping strategy. In addition, the query_string() Twig helper merges all current $_GET parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.

Affected Software

VendorProductVersion RangeStatus
mailcowmailcow-dockerized< 2026-03baffected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References