VYPR

Opensmtpd

by OpenBSD

Source repositories

CVEs (8)

  • CVE-2015-7687CriOct 16, 2017
    risk 0.64cvss 9.8epss 0.04

    Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving req_ca_vrfy_smtp and req_ca_vrfy_mta.

  • CVE-2020-7247KEVJan 29, 2020
    risk 0.23cvss epss 0.99

    smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented"…

  • CVE-2020-8794Feb 25, 2020
    risk 0.10cvss epss 0.89

    OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client…

  • CVE-2020-8793Feb 25, 2020
    risk 0.03cvss epss 0.01

    OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.

  • CVE-2025-62875Nov 20, 2025
    risk 0.00cvss epss 0.00

    An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.

  • CVE-2023-29323Apr 4, 2023
    risk 0.00cvss epss 0.00

    ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2 before errata 020, and OpenSMTPD Portable before 7.0.0-portable commit f748277, can abort upon a connection from a local, scoped IPv6 address.

  • CVE-2020-35680Dec 24, 2020
    risk 0.00cvss epss 0.04

    smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of client activity, because the filter state machine does not properly maintain the…

  • CVE-2013-2125May 27, 2014
    risk 0.00cvss epss 0.02

    OpenSMTPD before 5.3.2 does not properly handle SSL sessions, which allows remote attackers to cause a denial of service (connection blocking) by keeping a connection open.