Aikido Security's AI pentesting agent discovered three XSS vulnerabilities in Mailcow, a popular self-hosted open source email server. The most critical flaw allowed unauthenticated attackers to inject arbitrary HTML into Autodiscover logs via an unescaped email address field, triggering XSS when an admin viewed the logs. A second vulnerability exploited unescaped attachment filenames in the Quarantine feature using an EICAR test file to reliably route malicious emails to quarantine. The third combined a Self-XSS (via a spoofed X-Real-IP header stored in login history) with a Login CSRF to force victims into the attacker's account and exfiltrate mailbox data using window.opener. All three issues were patched in Mailcow version 2026-03b (March 31, 2026) by adding proper HTML escaping.
Table of contents
Unescaped Autodiscover logsInjecting quarantine attachment filenamesElevating a Self-XSS in IP listed in Login HistoryRemediationConclusionSort: