References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

OR
          *cpe:2.3:a:mailcow:mailcow:_dockerized:*:*:*:*:*:*:*:* versions up to (excluding) 2025-07

GitHub, Inc.: https://github.com/mailcow/mailcow-dockerized/commit/8c5f6c03214a4b2bdbf3c78932f860eee949012b Types: Patch

GitHub, Inc.: https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m Types: Vendor Advisory

mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue.

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-1336

https://github.com/mailcow/mailcow-dockerized/commit/8c5f6c03214a4b2bdbf3c78932f860eee949012b

https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m