VYPR

Vendor CVEs

Dovecot (software)

All CVEs

76 total · sorted by risk
  • CVE-2024-23185HigSep 10, 2024
    risk 0.49cvss 7.5epss 0.01

    Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The…

  • CVE-2008-4577HigOct 15, 2008
    risk 0.49cvss 7.5epss 0.02

    The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

  • CVE-2026-27851HigMay 12, 2026
    risk 0.48cvss 7.4epss 0.00

    When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on…

  • CVE-2026-33603MedMay 12, 2026
    risk 0.44cvss 6.8epss 0.00

    Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications…

  • CVE-2026-24031HigMar 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No…

  • CVE-2026-27858HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install…

  • CVE-2025-59032HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively…

  • CVE-2016-8652MedFeb 17, 2017
    risk 0.42cvss 5.9epss 0.48

    The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.

  • CVE-2026-27856HigMar 27, 2026
    risk 0.41cvss 7.4epss 0.00

    Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm…

  • CVE-2017-14461MedMar 2, 2018
    risk 0.40cvss 5.9epss 0.18

    A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted…

  • CVE-2017-15130MedMar 2, 2018
    risk 0.39cvss 5.9epss 0.03

    A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.

  • CVE-2015-3420MedSep 19, 2017
    risk 0.39cvss 5.9epss 0.03

    The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.

  • CVE-2026-27855MedMar 27, 2026
    risk 0.37cvss 6.8epss 0.00

    Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as…

  • CVE-2009-3897MedNov 24, 2009
    risk 0.36cvss 5.5epss 0.00

    Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the…

  • CVE-2026-40016MedMay 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts.…

  • CVE-2024-25584MedSep 6, 2024
    risk 0.34cvss 5.3epss 0.00

    Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP. Dovecot will split mail with LF DOT LF into two mails.…

  • CVE-2024-23184MedSep 10, 2024
    risk 0.33cvss 5.0epss 0.01

    Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by…

  • CVE-2026-42006MedMay 12, 2026
    risk 0.28cvss 4.3epss 0.00

    An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open…

  • CVE-2026-27859MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU time. Use MTA capabilities to limit RFC 2231 MIME parameters in mail messages,…

  • CVE-2026-0394MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading…

  • CVE-2025-59028MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in…

  • CVE-2026-27857MedMar 27, 2026
    risk 0.21cvss 4.3epss 0.00

    Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect…

  • CVE-2025-59031MedMar 27, 2026
    risk 0.21cvss 4.3epss 0.00

    Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not…

  • CVE-2026-40020LowMay 12, 2026
    risk 0.20cvss 3.1epss 0.00

    Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is…

  • CVE-2026-27860LowMar 27, 2026
    risk 0.17cvss 3.7epss 0.00

    If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly…

  • CVE-2008-1218Mar 10, 2008
    risk 0.04cvss epss 0.07

    Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the…

  • CVE-2019-11500Aug 29, 2019
    risk 0.03cvss epss 0.62

    In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

  • CVE-2008-4907Nov 4, 2008
    risk 0.03cvss epss 0.06

    The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid…

  • CVE-2020-12674Aug 12, 2020
    risk 0.02cvss epss 0.06

    In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.

  • CVE-2020-12100Aug 12, 2020
    risk 0.02cvss epss 0.05

    In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.

  • CVE-2020-10957May 18, 2020
    risk 0.02cvss epss 0.07

    In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.

  • CVE-2022-30550Jul 17, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly…

  • CVE-2020-28200Jun 28, 2021
    risk 0.00cvss epss 0.02

    The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.

  • CVE-2021-33515Jun 28, 2021
    risk 0.00cvss epss 0.03

    The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

  • CVE-2021-29157Jun 28, 2021
    risk 0.00cvss epss 0.00

    Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.

  • CVE-2020-24386Jan 4, 2021
    risk 0.00cvss epss 0.03

    An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).

  • CVE-2020-25275Jan 4, 2021
    risk 0.00cvss epss 0.05

    Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.

  • CVE-2020-12673Aug 12, 2020
    risk 0.00cvss epss 0.06

    In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.

  • CVE-2020-10967May 18, 2020
    risk 0.00cvss epss 0.08

    In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.

  • CVE-2020-10958May 18, 2020
    risk 0.00cvss epss 0.06

    In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.

  • CVE-2020-7957Feb 12, 2020
    risk 0.00cvss epss 0.02

    The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.

  • CVE-2020-7046Feb 12, 2020
    risk 0.00cvss epss 0.51

    lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.

  • CVE-2019-19722Dec 13, 2019
    risk 0.00cvss epss 0.02

    In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.

  • CVE-2019-11494May 8, 2019
    risk 0.00cvss epss 0.02

    In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.

  • CVE-2019-11499May 8, 2019
    risk 0.00cvss epss 0.03

    In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.

  • CVE-2019-10691Apr 24, 2019
    risk 0.00cvss epss 0.03

    The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.

  • CVE-2019-7524Mar 28, 2019
    risk 0.00cvss epss 0.01

    In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.

  • CVE-2019-3814Mar 27, 2019
    risk 0.00cvss epss 0.02

    It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.

  • CVE-2017-2669LowJun 21, 2018
    risk 0.00cvss 3.7epss 0.05

    Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields…

  • CVE-2017-15132HigJan 25, 2018
    risk 0.00cvss 7.5epss 0.03

    A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the…

Page 1 of 2