VYPR
Vendor

Fetchmail

Fetchmail is an open-source software utility for POSIX-compliant operating systems which is used to retrieve e-mail from a remote POP3, IMAP, or ODMR mail server to the user's local system. It was developed from the popclient program, written by Carl Harris.

Founded 1996
Products
1
CVEs
26
Across products
26
Status
Private

Products

1

Recent CVEs

26
View all 26 CVEs →
  • CVE-2025-61962MedOct 4, 2025
    risk 0.31cvss 5.9epss 0.00

    In fetchmail before 6.5.6, the SMTP client can crash when authenticating upon receiving a 334 status code in a malformed context.

  • CVE-2001-1009Aug 31, 2001
    risk 0.04cvss epss 0.07

    Fetchmail (aka fetchmail-ssl) before 5.8.17 allows a remote malicious (1) IMAP server or (2) POP/POP3 server to overwrite arbitrary memory and possibly gain privileges via a negative index number as part of a response to a LIST request.

  • CVE-2001-0819Dec 6, 2001
    risk 0.01cvss epss 0.06

    A buffer overflow in Linux fetchmail before 5.8.6 allows remote attackers to execute arbitrary code via a large 'To:' field in an email header.

  • CVE-2021-39272Aug 30, 2021
    risk 0.00cvss epss 0.01

    Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

  • CVE-2021-36386Jul 29, 2021
    risk 0.00cvss epss 0.03

    report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use…

  • CVE-2012-3482Dec 21, 2012
    risk 0.00cvss epss 0.02

    Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2)…

  • CVE-2011-1947Jun 2, 2011
    risk 0.00cvss epss 0.03

    fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets.

  • CVE-2010-1167May 7, 2010
    risk 0.00cvss epss 0.02

    fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3…

  • CVE-2010-0562Feb 8, 2010
    risk 0.00cvss epss 0.03

    The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, when running in verbose mode on platforms for which char is signed, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an SSL X.509 certificate…

  • CVE-2009-2666Aug 7, 2009
    risk 0.00cvss epss 0.01

    socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a…

  • CVE-2008-2711Jun 16, 2008
    risk 0.00cvss epss 0.03

    fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format…

  • CVE-2007-4565Aug 28, 2007
    risk 0.00cvss epss 0.02

    sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.

  • CVE-2007-1558Apr 16, 2007
    risk 0.00cvss epss 0.02

    The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird…

  • CVE-2006-5974Dec 31, 2006
    risk 0.00cvss epss 0.04

    fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message delivered via the mda option, allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the (1) ferror or (2) fflush functions.

  • CVE-2006-5867Dec 31, 2006
    risk 0.00cvss epss 0.04

    fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks.

  • CVE-2006-0321Jan 24, 2006
    risk 0.00cvss epss 0.03

    fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster.

  • CVE-2005-4348Dec 21, 2005
    risk 0.00cvss epss 0.04

    fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.

  • CVE-2005-3088Oct 27, 2005
    risk 0.00cvss epss 0.00

    fetchmailconf before 1.49 in fetchmail 6.2.0, 6.2.5 and 6.2.5.2 creates configuration files with insecure world-readable permissions, which allows local users to obtain sensitive information such as passwords.

  • CVE-2005-2335Jul 27, 2005
    risk 0.00cvss epss 0.06

    Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue.…

  • CVE-2003-0792Nov 17, 2003
    risk 0.00cvss epss 0.02

    Fetchmail 6.2.4 and earlier does not properly allocate memory for long lines, which allows remote attackers to cause a denial of service (crash) via a certain email.