Medium severity4.3NVD Advisory· Published Mar 27, 2026· Updated Apr 29, 2026

CVE-2025-59031

Description

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

Affected products

Dovecot (software)/Dovecot
cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
Range: <2.4.3
Open-Xchange/Dovecot
cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*
Range: <2.3.22.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.jsonnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000