mailcow-dockerized 2026-03b - Stored XSS in Queue Manager
7.4
High
Detected by
Fluid Attacks AI SAST Scanner
Disclosed by
Oscar Naveda
Summary
Full name
mailcow-dockerized 2026-03b - Stored XSS in Queue Manager via unescaped Postfix queue fields
Code name
State
Public
Release date
Affected product
mailcow-dockerized
Vendor
mailcow
Affected version(s)
2026-03b
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
CVSS v4.0 base score
7.4
Exploit available
Yes
CVE ID(s)
Description
mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding.
The vulnerable page is reachable by administrators at /admin/queue. A lower-privileged mail sender, or any attacker who can cause a crafted message to remain in the Postfix queue, can place HTML markup in queue metadata such as the envelope sender. When an administrator opens the Queue Manager, DataTables writes the unescaped value into a table cell using innerHTML, causing attacker-supplied HTML/JavaScript to execute in the administrator's browser.
Recipients are escaped with escapeHtml, and the queued-message modal inserts the message content using .text(). Those controls do not protect the unescaped queue fields (sender, queue_name, queue_id) and the checkbox/action fragments constructed from queue_id.
Vulnerability
Root cause
Untrusted queue data returned by the API (
data/web/json_api.php:562-568,data/web/inc/functions.mailq.inc.php:49-77):mailq('get')executes the Docker API mail queue list task and returns JSON-decoded Postfixpostqueue -jrows. The API does not HTML-escape fields because it returns JSON data.Postfix queue data is copied into DataTables rows without escaping (
data/web/js/site/queue.js:49-58,data/web/js/site/queue.js:79-109):recipientsis escaped, butsender,queue_name, andqueue_idare assigned directly to DataTables columns.queue_idis also inserted into HTML attribute fragments.encodeURIis not an HTML attribute encoder and should not be used as an escaping boundary for markup construction.DataTables renders display values as HTML (
data/web/js/build/004-datatables.js:3185-3189):With no
render: $.fn.dataTable.render.text()or equivalent escaping on the text columns, DataTables treats queue field values as HTML.
Confirmed source-to-sink path
Source: Postfix queue JSON from Docker API:
API wrapper:
data/Dockerfiles/dockerapi/modules/DockerApi.py:164-172Returns the command output as UTF-8 text.Application endpoint:
data/web/inc/functions.mailq.inc.php:49-77parses each JSON line, normalizesrecipients, and returnsjson_encode($line)without modifyingsender,queue_name, orqueue_id.Frontend fetch:
data/web/js/site/queue.js:46-49loads/api/v1/get/mailq/all.Vulnerable mapping:
data/web/js/site/queue.js:50-58creates HTML fragments fromqueue_id;data/web/js/site/queue.js:79-109mapsqueue_id,queue_name, andsenderdirectly into display columns.Sink: DataTables assigns the display value to
innerHTMLindata/web/js/build/004-datatables.js:3189.
Attack primitive
A malicious queue row containing the following sender value is enough to demonstrate the DOM sink:
When rendered in the sender column, the <img> element is parsed by the browser and its onerror handler executes.
Impact
An attacker who can cause a crafted mail item to remain visible in the Postfix queue can execute JavaScript in an administrator's authenticated Mailcow UI session when the administrator opens /admin/queue.
Potential impact includes:
Reading administrator-visible Mailcow UI data through same-origin API requests.
Performing administrator actions through authenticated API calls, subject to CSRF and permission checks present on each endpoint.
Stealing or abusing data exposed to the administrator's browser session.
The Queue Manager route is admin-only (data/web/admin/queue.php:5), so the direct victim is an administrator. The attacker does not need Mailcow administrator privileges; the required capability is control over queue metadata that is displayed by the Queue Manager.
Relevant code:
data/web/admin/queue.php:5-8(admin Queue Manager route and page script)data/web/json_api.php:562-568(/api/v1/get/mailq/allresponse)data/web/inc/functions.mailq.inc.php:49-77(Postfix queue JSON parsing)data/Dockerfiles/dockerapi/modules/DockerApi.py:164-172(postqueue -jsource)data/web/js/site/queue.js:49-58(unsafe HTML fragment construction)data/web/js/site/queue.js:79-109(unescaped DataTables text columns)data/web/js/build/004-datatables.js:3185-3189(innerHTMLsink)
PoC
Preconditions
mailcow: dockerized instance with the affected Queue Manager frontend.
An administrator account that can access
/admin/queue.A crafted Postfix queue item whose metadata includes attacker-controlled HTML, and which remains in the queue long enough for the administrator to view it. In a realistic deployment, this can be produced by a user able to submit outbound mail that becomes deferred/held, or by any mail-flow condition that leaves an attacker-influenced message in the queue.
Step 1 - Baseline queue response
Request:
Expected safe response shape:
Step 2 - Malicious queue row
Cause a queue row to contain an HTML-bearing sender. The following JSON row is representative of the data shape needed to trigger the vulnerability:
The important property is that sender contains an HTML tag. The frontend does not encode this field before passing it to DataTables.
Step 3 - Administrator opens Queue Manager
The administrator visits:
Expected result:
The page loads
data/web/js/site/queue.js.draw_queue()fetches/api/v1/get/mailq/all.The
sendercolumn is rendered through DataTables as HTML.The injected
<img>element is created andonerrorexecutes in the administrator's browser.
Step 4 - Attribute-context variant
If a non-Postfix or compromised queue source returns a non-hexadecimal queue_id, the checkbox construction is also unsafe:
This produces:
Postfix queue IDs are normally constrained to hexadecimal values, so the sender column is the practical exploitation path. The queue_id construction is still a defective HTML-attribute sink and should be fixed defensively.
Evidence of Exploitation
Video of exploitation:
Static Evidence:
Our security policy
We have reserved the ID CVE-2026-7460 to refer to this issue from now on.
System Information
mailcow: dockerized
Version: 2026-03b (branch
master, commit281cf93d)Operating System: Any mailcow: dockerized deployment with administrator Queue Manager access
References
Github Repository: https://github.com/mailcow/mailcow-dockerized
Security: https://github.com/mailcow/mailcow-dockerized/security
Mitigation
An updated version of mailcow-dockerized is available at the vendor page.
Credits
The vulnerability was discovered by Oscar Naveda from Fluid Attacks' Offensive Team using the AI SAST Scanner.
Timeline
Vulnerability discovered
Vendor contacted
Vendor replied
Vendor requested re-testing
Follow-up with vendor
Vendor confirmed
Vulnerability patched
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
