What is CVE-2025-53909?

CVE-2025-53909 is a critical-severity vulnerability in Mailcow Mailcow-dockerized, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 9.1/10. Published 2025-07-17.

How severe is CVE-2025-53909?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Vulnerability in Mailcow Mailcow-dockerized

CVE-2025-53909

mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota an…

EPSS: 0.007 (72.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Mailcow Mailcow-dockerized — versions < 2025-07

Weakness classification (CWE)

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine

References

https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m (x_refsource_CONFIRM)
https://github.com/mailcow/mailcow-dockerized/commit/8c5f6c03214a4b2bdbf3c78932f860eee949012b (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-53909?: CVE-2025-53909 is a critical-severity vulnerability in Mailcow Mailcow-dockerized, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 9.1/10. Published 2025-07-17.
How severe is CVE-2025-53909?: Critical severity. CVSS v3 base score is 9.1 out of 10.