VYPR

Dovecot

by Dovecot (software)

Source repositories

CVEs (74)

  • CVE-2026-27857MedMar 27, 2026
    risk 0.21cvss 4.3epss 0.00

    Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect…

  • CVE-2025-59031MedMar 27, 2026
    risk 0.21cvss 4.3epss 0.00

    Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not…

  • CVE-2026-40020LowMay 12, 2026
    risk 0.20cvss 3.1epss 0.00

    Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is…

  • CVE-2026-27860LowMar 27, 2026
    risk 0.17cvss 3.7epss 0.00

    If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly…

  • CVE-2008-1218Mar 10, 2008
    risk 0.04cvss epss 0.07

    Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the…

  • CVE-2019-11500Aug 29, 2019
    risk 0.03cvss epss 0.62

    In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

  • CVE-2008-4907Nov 4, 2008
    risk 0.03cvss epss 0.06

    The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid…

  • CVE-2020-12674Aug 12, 2020
    risk 0.02cvss epss 0.06

    In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.

  • CVE-2020-12100Aug 12, 2020
    risk 0.02cvss epss 0.05

    In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.

  • CVE-2020-10957May 18, 2020
    risk 0.02cvss epss 0.07

    In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.

  • CVE-2022-30550Jul 17, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly…

  • CVE-2020-28200Jun 28, 2021
    risk 0.00cvss epss 0.02

    The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.

  • CVE-2021-33515Jun 28, 2021
    risk 0.00cvss epss 0.03

    The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

  • CVE-2021-29157Jun 28, 2021
    risk 0.00cvss epss 0.00

    Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.

  • CVE-2020-24386Jan 4, 2021
    risk 0.00cvss epss 0.03

    An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).

  • CVE-2020-25275Jan 4, 2021
    risk 0.00cvss epss 0.05

    Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.

  • CVE-2020-12673Aug 12, 2020
    risk 0.00cvss epss 0.06

    In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.

  • CVE-2020-10967May 18, 2020
    risk 0.00cvss epss 0.08

    In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.

  • CVE-2020-10958May 18, 2020
    risk 0.00cvss epss 0.06

    In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.

  • CVE-2020-7957Feb 12, 2020
    risk 0.00cvss epss 0.02

    The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.