CVE-2026-7460

Description

mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding. This issue affects mailcow-dockerized: 2026-03b.

PUBLISHED Reserved 2026-04-29 | Published 2026-05-20 | Updated 2026-05-20 | Assigner Fluid Attacks

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Credits

Fluid Attacks' AI SAST Scanner finder

Oscar Naveda finder

References

fluidattacks.com/advisories/mojabi exploit

fluidattacks.com/advisories/mojabi third-party-advisory

github.com/mailcow/mailcow-dockerized product

cve.org (CVE-2026-7460)

nvd.nist.gov (CVE-2026-7460)

Download JSON