CVE-2025-53909 CRITICAL

CVE-2025-53909: mailcow: dockerized vulnerable to SSTI in Quota and Quarantine Notification Template

Vendor Mailcow
Product mailcow-dockerized
Weakness CWE-1336
Published July 17, 2025
Last update July 17, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue.

Key dates

02Disclosure timeline

July 17, 2025 CVE published
July 17, 2025 Record updated