{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40875", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.718Z", "datePublished": "2026-04-21T19:19:55.768Z", "dateUpdated": "2026-04-21T20:36:24.334Z"}, "containers": {"cna": {"title": "mailcow: dockerized vulnerable to stored XSS in user login history real_rip", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h"}], "affected": [{"vendor": "mailcow", "product": "mailcow-dockerized", "versions": [{"version": "< 2026-03b", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:19:55.768Z"}, "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's \"Seen successful connections\" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability."}], "source": {"advisory": "GHSA-jprq-w83q-q62h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:53:02.686540Z", "id": "CVE-2026-40875", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:36:24.334Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40875", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:53:02.686540Z"}}}], "references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:53:12.403Z"}}], "cna": {"title": "mailcow: dockerized vulnerable to stored XSS in user login history real_rip", "source": {"advisory": "GHSA-jprq-w83q-q62h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mailcow", "product": "mailcow-dockerized", "versions": [{"status": "affected", "version": "< 2026-03b"}]}], "references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h", "name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's \"Seen successful connections\" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:19:55.768Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40875", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:36:24.334Z", "dateReserved": "2026-04-15T15:57:41.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:19:55.768Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's \"Seen successful connections\" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability."}], "id": "CVE-2026-40875", "lastModified": "2026-04-22T21:02:31.267", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:01.120", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026-03b)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "mailcow-dockerized", "source": "cna", "vendor": "mailcow"}, "product": "mailcow_dockerized", "vendor": "mailcow"}], "analysis": {"en": {"generated_at": "2026-04-22T05:30:46.621106+00:00", "value": {"mitigation_remediation": ["Upgrade mailcow\u2011dockerized to version 2026\u201103b or later, which properly escapes the X\u2011Real\u2011IP input.", "If an immediate upgrade is not feasible, reconfigure the external reverse\u2011proxy to remove or strictly validate the X\u2011Real\u2011IP header before it reaches the application, ensuring only trusted internal sources can provide that header.", "As an alternative interim measure, restrict access to the /login endpoint by requiring an anti\u2011CSRF token or by limiting login requests to authenticated internal sources, thereby mitigating the likelihood that a Login CSRF can trigger the self\u2011XSS."], "summary": {"action": "Patch", "impact": "Confidentiality breach"}, "threat_synthesis": {"affected_systems": "The affected product is the mailcow\u2011dockerized groupware/email suite. All releases prior to the 2026\u201103b tag are vulnerable. The fix was committed in that tag and later releases do not contain the flaw.", "description_and_impact": "The vulnerability exists in mailcow\u2011dockerized versions older than 2026\u201103b. The user dashboard logs the client IP from the X\u2011Real\u2011IP header without applying HTML escaping, so an attacker can embed malicious HTML or JavaScript in that field. Although the flaw is a stored self\u2011XSS, a Login CSRF can force a victim to log into an attacker\u2011controlled account; the injected script then runs in the victim\u2019s browser and can read the content of the victim\u2019s mail in the previous tab, exposing private information.", "risk_and_exploitability": "With a CVSS score of 7, the issue is considered high\u2011severity. An EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog, indicating limited publicly documented exploitation. The flaw relies on a trusted X\u2011Real\u2011IP header that many deployments accept unvalidated, which an attacker can supply. Because it is a self\u2011XSS that requires end\u2011user interaction, the attacker must trick the victim into executing the payload\u2014this can be achieved through a Login CSRF that forces the victim to log in to a compromised account. Once the payload runs, it can arbitrarily read the victim\u2019s email data, causing a confidentiality breach."}}}}, "created": "2026-04-22T05:45:09.817826+00:00", "updated": "2026-04-22T11:45:45.331866+00:00", "vendors": ["mailcow", "mailcow$PRODUCT$mailcow_dockerized"]}