Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

mailcow — Vulnerabilities & Security Advisories 20

Browse all 20 CVE security advisories affecting mailcow. AI-powered Chinese analysis, POCs, and references for each vulnerability.

mailcow is an open-source mail server solution designed to provide a comprehensive, self-hosted email infrastructure for organizations and individuals. Its architecture integrates Postfix, Dovecot, and SOGo, aiming to simplify the deployment of secure email services. Historically, the software has been associated with various vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration interactions or unpatched dependencies. With twenty CVEs currently on record, these issues typically highlight challenges in maintaining secure defaults and managing third-party components within the Docker-based environment. While no single catastrophic incident has defined its history, the recurring nature of these flaws underscores the importance of rigorous patch management. Users must prioritize regular updates and strict access controls to mitigate risks, ensuring the platform remains a viable option for those seeking full control over their email communications without relying on proprietary services.

Top products by mailcow: mailcow-dockerized
CVE IDTitleCVSSSeverityPublished
CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping — mailcow-dockerizedCWE-79 8.2AIHighAI2026-04-21
CVE-2026-40875 mailcow: dockerized vulnerable to stored XSS in user login history real_rip — mailcow-dockerizedCWE-79 6.1AIMediumAI2026-04-21
CVE-2026-40874 mailcow: dockerized missing authorization on Forwarding Hosts delete action — mailcow-dockerizedCWE-284 5.4AIMediumAI2026-04-21
CVE-2026-40873 mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames — mailcow-dockerizedCWE-79 6.1AIMediumAI2026-04-21
CVE-2026-40872 mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field — mailcow-dockerizedCWE-79 6.1AIMediumAI2026-04-21
CVE-2026-40871 mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API — mailcow-dockerizedCWE-20 7.2 High2026-04-21
CVE-2025-53909 mailcow: dockerized vulnerable to SSTI in Quota and Quarantine Notification Template — mailcow-dockerizedCWE-1336 9.1 Critical2025-07-17
CVE-2025-25198 mailcow: dockerized vulnerable to password reset poisoning — mailcow-dockerizedCWE-601 7.1 High2025-02-12
CVE-2024-41960 Cross-site Scripting (XSS) via Relay Hosts Configuration in mailcow: dockerized — mailcow-dockerizedCWE-79 3.8 Low2024-08-05
CVE-2024-41959 Cross-site Scripting (XSS) via API Logs in mailcow: dockerized — mailcow-dockerizedCWE-79 7.6 High2024-08-05
CVE-2024-41958 Two-Factor Authentication (2FA) Bypass in mailcow: dockerized — mailcow-dockerizedCWE-697 6.6 Medium2024-08-05
CVE-2024-31204 mailcow Cross-site Scripting Vulnerability via Exception Handler — mailcow-dockerizedCWE-79 6.1 Medium2024-04-04
CVE-2024-30270 mailcow Path Traversal and Arbitrary Code Execution Vulnerability — mailcow-dockerizedCWE-22 6.2 Medium2024-04-04
CVE-2024-24760 Mailcow Docker Container Exposure to Local Network — mailcow-dockerizedCWE-610 8.8 High2024-02-02
CVE-2024-23824 mailcow ipixel flood attack leads to Denial of Service in admin page — mailcow-dockerizedCWE-400 4.7 Medium2024-02-02
CVE-2023-49077 mailcow-dockerized XSS Vulnerability in Quarantine UI Allows Unauthorized Access and Data Manipulation — mailcow-dockerizedCWE-79 8.3 High2023-11-30
CVE-2023-34108 Manipulation of Internal Dovecot Variables in mailcow via crafted Passwords — mailcow-dockerizedCWE-78 8.8 High2023-06-07
CVE-2023-26490 mailcow is vulnerable to shell command injection via xoauth2 authentication in imapsync​ — mailcow-dockerizedCWE-78 7.3 High2023-03-03
CVE-2022-39258 mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI — mailcow-dockerizedCWE-451 8.1 High2022-09-27
CVE-2022-31138 OS Command Injection in mailcow — mailcow-dockerizedCWE-78 8.8 High2022-07-11

This page lists every published CVE security advisory associated with mailcow. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.