PatchSiren cyber security CVE debrief
CVE-2026-7460 mailcow CVE debrief
CVE-2026-7460 is a stored cross-site scripting issue in mailcow-dockerized’s administrator Queue Manager. According to the supplied advisory summary, the Queue Manager pulls mail queue entries from /api/v1/get/mailq/all, places server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without sufficient output encoding. The result is a HIGH-severity XSS exposure affecting mailcow-dockerized 2026-03b.
- Vendor
- mailcow
- Product
- mailcow-dockerized
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Mailcow administrators, operators, and security teams responsible for the Queue Manager and any environment where privileged users review mail queue data through the web UI should prioritize this issue.
Technical summary
The issue is a stored XSS condition in an administrative interface. NVD records the weakness as CWE-79 and reports a CVSS 4.0 vector consistent with network access, low attack complexity, and required low privileges plus user interaction. The supplied description says the Queue Manager consumes mail queue data from /api/v1/get/mailq/all, propagates server-controlled Postfix queue fields into DataTables, and renders some fields as HTML without adequate encoding. Because the affected content is displayed in an admin context, maliciously crafted queue field content could execute in a privileged browser session.
Defensive priority
High. This is an administrative stored XSS issue with a HIGH CVSS score and potential impact on confidentiality and integrity in the web UI.
Recommended defensive actions
- Review the mailcow-dockerized 2026-03b release notes and apply the vendor-supplied fix or mitigation if available.
- Treat all queue-related fields returned to the Queue Manager as untrusted and ensure they are output-encoded before being inserted into the DOM.
- Verify that DataTables rendering paths use safe text rendering rather than HTML insertion for server-controlled values.
- Audit the administrator Queue Manager for other DOM sinks that may render queue metadata or message fields as raw HTML.
- Restrict access to the administrative UI to trusted users and monitor for unexpected content in queue entries.
- Re-test the Queue Manager after remediation to confirm that server-controlled fields are escaped consistently.
Evidence notes
The debrief is based on the supplied CVE description, which explicitly identifies a stored XSS flaw in the administrator Queue Manager of mailcow-dockerized 2026-03b. NVD metadata identifies the weakness as CWE-79 and marks the vulnerability status as Deferred. The supplied references include the Fluid Attacks advisory URL and the mailcow-dockerized GitHub repository URL. Vendor attribution in the provided corpus is not firm, so product naming is taken from the CVE description and the vendor field is treated as uncertain.
Official resources
Published in the supplied CVE record on 2026-05-20T04:16:56.270Z and modified on 2026-05-20T14:23:14.993Z. Use the CVE published timestamp as the disclosure date; do not infer any earlier or later issue date from the generation or review of