mailcow: dockerized Quarantine Feature Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in mailcow: dockerized versions prior to 2026-03b. The issue arises in the Quarantine details modal, which improperly injects attachment filenames into the HTML without proper escaping. This flaw allows for the execution of arbitrary HTML and JavaScript. An attacker can exploit this by sending an email with a crafted attachment name that, when viewed by an administrator in the quarantine, executes JavaScript in the admin's browser, potentially taking over their account.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the quarantine, specifically an administrator. This could lead to a complete takeover of the mailcow instance, as the admin could be manipulated to perform actions such as resetting passwords on other services, thereby compromising additional accounts.

Reproduction

To reproduce this vulnerability, first set up a mailcow instance and configure the quarantine settings to retain only one item per mailbox and limit the maximum size to one MiB. Next, send an email to a mailbox on the mailcow server with an attachment that has a malicious filename, including JavaScript payloads, and the EICAR string to trigger quarantine. Once the email is quarantined, an administrator can view the attachment details, which will execute the embedded JavaScript.

Remediation

Users should update to mailcow: dockerized version 2026-03b or later, where this vulnerability has been fixed.