CVE-2026-40878
mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.
| CWE | CWE-79 |
| Vendor | mailcow |
| Product | mailcow-dockerized |
| Published | Apr 21, 2026 |
Get instant alerts for mailcow mailcow-dockerized
Be the first to know when new unknown vulnerabilities affecting mailcow mailcow-dockerized are published โ delivered to Slack, Telegram or Discord.