mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

mailcow: dockerized 跨站脚本漏洞

mailcow: dockerized是mailcow开源的一个docker化的mailcow应用软件。 mailcow: dockerized 2026-03b之前版本存在跨站脚本漏洞，该漏洞源于管理仪表板的Autodiscover日志未对EMailAddress值进行HTML转义，可能导致存储型跨站脚本攻击。

N/A

N/A