Unrated severityNVD Advisory· Published Jul 17, 2018· Updated Aug 5, 2024

CVE-2018-14354

Description

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mutt and NeoMutt before versions 1.10.1 and 2018-07-16 allow arbitrary command execution via backquote injection in IMAP mailbox names during manual or automatic subscription.

Vulnerability

A command injection vulnerability exists in Mutt before version 1.10.1 and NeoMutt before version 2018-07-16. The bug resides in the IMAP code that handles mailbox subscriptions; when processing a mailboxes command (triggered by manual subscribe/unsubscribe actions or by automatic subscription via the $imap_check_subscribed option), the client fails to properly escape backquote characters () in mailbox names returned by the IMAP server. This allows the server to inject arbitrary shell commands into the string that is later parsed by mutt_parse_rc_line()` [1][3]. The affected versions include all Mutt releases prior to 1.10.1 and NeoMutt builds prior to 2018-07-16 [1][4].

Exploitation

An attacker operating a malicious IMAP server can send specially crafted mailbox names containing backquotes during the mailbox listing (e.g., via the LSUB response). When the client (Mutt or NeoMutt) user performs a manual subscribe/unsubscribe action or when automatic subscription is configured, the client constructs an internal mailboxes command using the un-sanitized mailbox name. The command string is then passed to mutt_parse_rc_line(), which executes any backquoted shell commands. The attacker does not require authentication; the user only needs to connect to the malicious server and trigger a subscription action, either manually or automatically [3].

Impact

Successful exploitation allows the remote IMAP server to execute arbitrary shell commands with the privileges of the user running Mutt or NeoMutt. This can lead to full compromise of the user's account, including disclosure, modification, or destruction of data, and potential lateral movement within the network. The CVSS score is not provided in the references, but the impact is rated as critical by the Gentoo security advisory [1][4].

Mitigation

Users should upgrade to Mutt version 1.10.1 or later, or NeoMutt version 2018-07-16 or later [4]. Red Hat Enterprise Linux users can obtain fixed packages via RHSA-2018:2526 [1]. The fix introduces a new function imap_quote_string_and_backquotes() that properly escapes backquote characters when quoting mailbox names for the mailboxes command [3]. There is no known workaround for this vulnerability; upgrading is the only mitigation [4].

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Mutt/Muttllm-fuzzy
Range: <1.10.1
Neomutt/Neomuttllm-fuzzy
Range: <2018-07-16
osv-coords11 versions
pkg:rpm/opensuse/mutt&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/neomutt&distro=openSUSE%20Tumbleweed pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATA pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3
< 2.0.7-2.2+ 10 more
- (no CPE)range: < 2.0.7-2.2
- (no CPE)range: < 20210205-3.3
- (no CPE)range: < 1.10.1-55.3.1
- (no CPE)range: < 1.10.1-3.3.4
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.10.1-55.3.1
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.10.1-55.3.1

Patches

6a147a62cf39

merge: NeoMutt 2018-07-16

https://github.com/neomutt/neomuttRichard RussonJul 16, 2018via osv

commit

41 files changed · +20281 −20118

auto.def+1 −1 modified

@@ -14,7 +14,7 @@ use system cc cc-lib mutt-gettext mutt-iconv
 ###############################################################################
 # Names and versions
 define PACKAGE          "neomutt"
-define PACKAGE_VERSION  "20180622"
+define PACKAGE_VERSION  "20180716"
 define BUGS_ADDRESS     "neomutt-devel@neomutt.org"
 
 # Subdirectories that contain additional Makefile.autosetup files

ChangeLog.md+6 −0 modified

@@ -1,3 +1,9 @@
+2018-07-16  Richard Russon  <rich@flatcap.org>
+* Features
+  - <check-stats> function
+* Bug Fixes
+  - Lots
+
 2018-06-22  Richard Russon  <rich@flatcap.org>
 * Features
   - Expand variables inside backticks

doxygen/doxygen.conf+1 −1 modified

@@ -25,7 +25,7 @@ PROJECT_NAME           = "NeoMutt"
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 2018-06-22
+PROJECT_NUMBER         = 2018-07-16
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

imap/auth_plain.c+2 −1 modified

@@ -77,7 +77,8 @@ enum ImapAuthRes imap_auth_plain(struct ImapData *idata, const char *method)
     }
     if (rc == IMAP_CMD_RESPOND)
     {
-      mutt_str_strcat(buf + sizeof(auth_plain_cmd), sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
+      mutt_str_strcat(buf + sizeof(auth_plain_cmd),
+                      sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
       mutt_socket_send(idata->conn, buf + sizeof(auth_plain_cmd));
     }
   }

imap/imap.c+2 −2 modified

@@ -1730,8 +1730,8 @@ int imap_subscribe(char *path, bool subscribe)
     mutt_buffer_init(&err);
     err.data = errstr;
     err.dsize = sizeof(errstr);
-	len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
-	imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
+    len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
+    imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
     if (mutt_parse_rc_line(mbox, &token, &err))
       mutt_debug(1, "Error adding subscribed mailbox: %s\n", errstr);
     FREE(&token.data);

.mailmap+4 −1 modified

@@ -61,6 +61,7 @@ Jakub Jindra <jakub.jindra@socialbakers.com>                    Jakub Jindra <j
 Jakub Wilk <jwilk@jwilk.net>                                    Jakub Wilk <jwilk@jwilk.net>                             # @jwilk
 Jelle van der Waa <jelle@vdwaa.nl>                              Jelle van der Waa <jelle@vdwaa.nl>                       # @jelly
 Jenya Sovetkin <e.sovetkin@gmail.com>                           Jenya Sovetkin <e.sovetkin@gmail.com>                    # @esovetkin
+JerikoOne <jeriko.one@gmx.us>                                   JerikoOne <jeriko.one@gmx.us>                            # @jeriko-one
 Joey Pabalinas <joeypabalinas@gmail.com>                        Joey Pabalinas <joeypabalinas@gmail.com>                 # @alyptik
 Johannes Weißl <jargon@molb.org>                               Johannes Weißl <jargon@molb.org>                        # @weisslj
 Jonathan Perkin <jperkin@netbsd.org>                            Jonathan Perkin <jperkin@netbsd.org>                     # @jperkin
@@ -80,6 +81,7 @@ Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner <m
 Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner <mrajner@lenovo>                           # @mrajner
 Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner lenovo <mrajner@gik.pw.edu.pl>             # @mrajner
 Marco Hinz <mh.codebro@gmail.com>                               Marco Hinz <mh.codebro@gmail.com>                        # @mhinz
+Marco Sirabella <marco@sirabella.org>                           Marco Sirabella <marco@sirabella.org>                    # @mjsir911
 Marius Gedminas <marius@gedmin.as>                              Marius Gedminas <marius@gedmin.as>                       # @mgedmin
 Mehdi Abaakouk <sileht@sileht.net>                              Mehdi ABAAKOUK <sileht@sileht.net>                       # @sileht
 Mehdi Abaakouk <sileht@sileht.net>                              Mehdi Abaakouk <sileht@sileht.net>                       # @sileht
@@ -156,7 +158,8 @@ Andreas Jobs <unknown>                                          Andreas Jobs <un
 Andrew Gaul <andrew@gaul.org>                                   Andrew Gaul <andrew@gaul.org>
 Andrew Nosenko <awn@bcs.zp.ua>                                  Andrew W. Nosenko <awn@bcs.zp.ua>
 Antoine Reilles <tonio@netbsd.org>                              Antoine Reilles <tonio@netbsd.org>
-Anton Lindqvist <anton.lindqvist@gmail.com>                     Anton Lindqvist <anton.lindqvist@gmail.com>
+Anton Lindqvist <anton@basename.se>                             Anton Lindqvist <anton.lindqvist@gmail.com>
+Anton Lindqvist <anton@basename.se>                             Anton Lindqvist <anton@basename.se>
 Armin Wolfermann <aw@osn.de>                                    Armin Wolfermann <aw@osn.de>
 Aron Griffis <agriffis@n01se.net>                               Aron Griffis <agriffis@n01se.net>
 Athanasios Douitsis <aduitsis@gmail.com>                        Athanasios Douitsis <aduitsis@gmail.com>

newsrc.c+2 −1 modified

@@ -601,7 +601,8 @@ int nntp_add_group(char *line, void *data)
     return 0;
 
   /* These sscanf limits must match the sizes of the group and desc arrays */
-  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, &first, &mod, desc) < 4)
+  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last,
+             &first, &mod, desc) < 4)
   {
     mutt_debug(4, "Cannot parse server line: %s\n", line);
     return 0;

nntp.c+1 −1 modified

@@ -1289,7 +1289,7 @@ static int nntp_fetch_headers(struct Context *ctx, void *hc, anum_t first,
   fc.restore = restore;
   fc.messages = mutt_mem_calloc(last - first + 1, sizeof(unsigned char));
   if (fc.messages == NULL)
-	  return -1;
+    return -1;
 #ifdef USE_HCACHE
   fc.hc = hc;
 #endif

pattern.c+8 −8 modified

@@ -1885,13 +1885,13 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags,
     case MUTT_SENDER:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1,
-                                        h->env->sender));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        1, h->env->sender));
     case MUTT_FROM:
       if (!h->env)
         return 0;
-      return (pat->not ^
-              match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1, h->env->from));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        1, h->env->from));
     case MUTT_TO:
       if (!h->env)
         return 0;
@@ -1924,14 +1924,14 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags,
     case MUTT_ADDRESS:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 4,
-                                        h->env->from, h->env->sender,
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        4, h->env->from, h->env->sender,
                                         h->env->to, h->env->cc));
     case MUTT_RECIPIENT:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 2,
-                                        h->env->to, h->env->cc));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        2, h->env->to, h->env->cc));
     case MUTT_LIST: /* known list, subscribed or not */
       if (!h->env)
         return 0;

po/bg.po+675 −670 modified
po/ca.po+675 −670 modified
po/cs.po+675 −670 modified
po/da.po+675 −670 modified
po/de.po+675 −670 modified
po/el.po+675 −670 modified
po/en_GB.po+674 −670 modified
po/eo.po+675 −670 modified
po/es.po+675 −670 modified
po/et.po+675 −670 modified
po/eu.po+675 −670 modified
po/fr.po+675 −670 modified
po/ga.po+675 −670 modified
po/gl.po+675 −670 modified
po/hu.po+675 −670 modified
po/id.po+675 −670 modified
po/it.po+675 −670 modified
po/ja.po+675 −670 modified
po/ko.po+675 −670 modified
po/lt.po+675 −670 modified
po/nl.po+675 −670 modified
po/pl.po+675 −670 modified
po/pt_BR.po+675 −670 modified
po/ru.po+675 −670 modified
po/sk.po+675 −670 modified
po/sv.po+675 −670 modified
po/tr.po+675 −670 modified
po/uk.po+675 −670 modified
po/zh_CN.po+675 −670 modified
po/zh_TW.po+675 −670 modified

README.md+3 −1 modified

@@ -2,7 +2,7 @@
 
 [![Stars](https://img.shields.io/github/stars/neomutt/neomutt.svg?style=social&label=Stars)](https://github.com/neomutt/neomutt "Give us a Star")
 [![Twitter](https://img.shields.io/twitter/follow/NeoMutt_Org.svg?style=social&label=Follow)](https://twitter.com/NeoMutt_Org "Follow us on Twitter")
-[![Contributors](https://img.shields.io/badge/Contributors-127-orange.svg)](#contributors "All of NeoMutt's Contributors")
+[![Contributors](https://img.shields.io/badge/Contributors-132-orange.svg)](#contributors "All of NeoMutt's Contributors")
 [![Release](https://img.shields.io/github/release/neomutt/neomutt.svg)](https://github.com/neomutt/neomutt/releases/latest "Latest Release Notes")
 [![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://github.com/neomutt/neomutt/blob/master/COPYRIGHT.md "Copyright Statement")
 [![Code build](https://img.shields.io/travis/neomutt/neomutt.svg?label=code)](https://travis-ci.org/neomutt/neomutt "Latest Automatic Code Build")
@@ -137,6 +137,7 @@ Here's a list of everyone who's helped NeoMutt:
 [Jasper Adriaanse](https://github.com/jasperla "jasperla"),
 [Jelle van der Waa](https://github.com/jelly "jelly"),
 [Jenya Sovetkin](https://github.com/esovetkin "esovetkin"),
+[JerikoOne](https://github.com/jeriko-one "jeriko-one"),
 [Joey Pabalinas](https://github.com/alyptik "alyptik"),
 [Johannes Frankenau](https://github.com/tsuflux "tsuflux"),
 [Johannes Weißl](https://github.com/weisslj "weisslj"),
@@ -156,6 +157,7 @@ Here's a list of everyone who's helped NeoMutt:
 [Manos Pitsidianakis](https://github.com/epilys "epilys"),
 [Marcin Rajner](https://github.com/mrajner "mrajner"),
 [Marco Hinz](https://github.com/mhinz "mhinz"),
+[Marco Sirabella](https://github.com/mjsir911 "mjsir911"),
 [Marius Gedminas](https://github.com/mgedmin "mgedmin"),
 [Mateusz Piotrowski](https://github.com/0mp "0mp"),
 [Matteo Vescovi](https://github.com/mfvescovi "mfvescovi"),

send.c+2 −1 modified

@@ -1076,7 +1076,8 @@ struct Address *mutt_default_from(void)
 
   if (From)
     addr = mutt_addr_copy(From);
-  else {
+  else
+  {
     addr = mutt_addr_new();
     if (UseDomain)
     {

95e80bf9ff10

Quote path in imap_subscribe

https://github.com/neomutt/neomuttJerikoOneJul 7, 2018via osv

commit

1 file changed · +3 −1

imap/imap.c+3 −1 modified

@@ -1709,6 +1709,7 @@ int imap_subscribe(char *path, bool subscribe)
   char errstr[STRING];
   struct Buffer err, token;
   struct ImapMbox mx;
+  size_t len = 0;
 
   if (!mx_is_imap(path) || imap_parse_path(path, &mx) || !mx.mbox)
   {
@@ -1729,7 +1730,8 @@ int imap_subscribe(char *path, bool subscribe)
     mutt_buffer_init(&err);
     err.data = errstr;
     err.dsize = sizeof(errstr);
-    snprintf(mbox, sizeof(mbox), "%smailboxes \"%s\"", subscribe ? "" : "un", path);
+	len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
+	imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
     if (mutt_parse_rc_line(mbox, &token, &err))
       mutt_debug(1, "Error adding subscribed mailbox: %s\n", errstr);
     FREE(&token.data);

185152818541

https://gitlab.com/muttmua/muttvia osv

commit

ed9d7727dc70

https://gitlab.com/muttmua/muttvia osv

commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2018:2526mitrevendor-advisoryx_refsource_REDHAT
security.gentoo.org/glsa/201810-07mitrevendor-advisoryx_refsource_GENTOO
usn.ubuntu.com/3719-1/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/3719-2/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/3719-3/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2018/dsa-4277mitrevendor-advisoryx_refsource_DEBIAN
www.mutt.org/news.htmlmitrex_refsource_MISC
www.securityfocus.com/bid/104925mitrevdb-entryx_refsource_BID
github.com/neomutt/neomutt/commit/95e80bf9ff10f68cb6443f760b85df4117cb15ebmitrex_refsource_MISC
gitlab.com/muttmua/mutt/commit/185152818541f5cdc059cbff3f3e8b654fc27c1dmitrex_refsource_MISC
lists.debian.org/debian-lts-announce/2018/08/msg00001.htmlmitremailing-listx_refsource_MLIST
neomutt.org/2018/07/16/releasemitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000