dovecot · threatengine.sh

CVE-2026-42006

< 2.4.4

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only b

4.3MEDIUM

CVE-2026-40020

< 2.4.4

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=

3.1LOW

CVE-2026-40016

< 2.4.4

Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve

5.3MEDIUM

CVE-2026-33603

< 2.4.4

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires t

6.8MEDIUM

CVE-2026-27851

< 2.4.4

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe t

7.4HIGH

CVE-2026-27860

< 2.4.3

If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to po

3.7LOW

CVE-2026-27859

< 2.4.3

A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail

5.3MEDIUM

CVE-2026-27858

< 2.4.3

Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.

7.5HIGH

CVE-2026-27857

< 2.4.3

Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result

4.3MEDIUM

CVE-2026-27856

< 2.4.3

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to

7.4HIGH

CVE-2026-27855

< 2.4.3

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is alt

6.8MEDIUM

CVE-2026-24031

< 2.4.3

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing

7.7HIGH

CVE-2026-0394

< 2.4.0

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has b

5.3MEDIUM

CVE-2025-59032

< 2.4.3

ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve servic

7.5HIGH

CVE-2025-59031

< 2.4.3

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attack

4.3MEDIUM

CVE-2025-59028

< 2.4.3

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessi

5.3MEDIUM

CVE-2022-30550

>= 2.3 and < 2.4.0

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist wi

8.8HIGH

CVE-2021-33515

< 2.3.14.1

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redire

4.8MEDIUM

CVE-2020-28200

< 2.3.15

The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex

4.3MEDIUM

CVE-2021-29157

>= 2.3.11 and < 2.3.14.1

Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication i

7.5HIGH

CVE-2020-25275

< 2.3.13

Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email me

7.5HIGH

CVE-2020-24386

>= 2.2.26 and < 2.3.13

An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via atta

6.8MEDIUM

CVE-2020-12674

< 2.3.11.3

In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mish

7.5HIGH

CVE-2020-12673

< 2.3.11.3

In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds rea

7.5HIGH

CVE-2020-12100

< 2.3.11.3

In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of servi

7.5HIGH

CVE-2020-10967

< 2.3.10.1

In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empt

5.3MEDIUM

CVE-2020-10958

< 2.3.10.1

In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submis

5.3MEDIUM

CVE-2020-10957

< 2.3.10.1

In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference an

7.5HIGH

CVE-2020-7957

>= 2.3.9 and < 2.3.9.3

The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to com

5.3MEDIUM

CVE-2020-7046

>= 2.3.9 and < 2.3.9.3

lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as de

7.5HIGH

CVE-2019-19722

< 2.3.9.2

In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used,

5.3MEDIUM

CVE-2016-4983

all versions

A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files.

3.3LOW

CVE-2019-11500

< 2.2.36.4

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strin

9.8CRITICAL

CVE-2019-11494

>= 2.3.3 and <= 2.3.5.2

In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely

7.5HIGH

CVE-2019-11499

>= 2.3.3 and <= 2.3.5.2

In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS

7.5HIGH

CVE-2019-10691

< 2.3.5.2

The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authen

7.5HIGH

CVE-2019-7524

< 2.2.36.3

In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, w

8.8HIGH

CVE-2019-3814

>= 1.1.0 and < 2.2.36.1

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in

7.7HIGH

CVE-2017-2669

>= 2.2.26 and <= 2.2.28

Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authenticatio

3.7LOW

CVE-2017-15130

< 2.2.34

A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TL

5.9MEDIUM

CVE-2017-14461

all versions

A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in poten

5.9MEDIUM

CVE-2017-15132

>= 2.0.0 and <= 2.2.33

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth

7.5HIGH

CVE-2015-3420

<= 2.2.16

The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of ser

5.9MEDIUM

CVE-2016-8652

<= 2.2.27

The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of servic

5.9MEDIUM

CVE-2013-2111

<= 2.2.1

The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consump

CVE-2014-3430

all versions

Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which

CVE-2013-6171

<= 2.2.6

checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users t

CVE-2011-4318

all versions

Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify

CVE-2011-2167

all versions

script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticat

CVE-2011-2166

all versions

script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote au

CVE-2011-1929

all versions

lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters i

CVE-2010-3780

all versions

Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneous

CVE-2010-3779

all versions

Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public na

CVE-2010-3707

all versions

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to ad

CVE-2010-3706

all versions

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to ad

CVE-2010-3304

all versions

The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which mi

CVE-2010-0745

all versions

Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) vi

CVE-2009-3897

>= 1.2.0 and < 1.2.8

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local u

5.5MEDIUM

CVE-2009-3235

all versions

Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus

CVE-2008-5301

all versions

Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to rea

CVE-2008-4907

all versions

The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote at

CVE-2008-4870

all versions

dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which a

CVE-2008-4578

<= 1.1.3

The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create un

CVE-2008-4577

< 1.1.4

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers

7.5HIGH

CVE-2008-1218

<= 1.0.12

Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows rem

CVE-2008-1199

all versions

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow loca

CVE-2007-6598

<= 1.0.9

Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth ca

CVE-2007-4211

<= 1.0.2

The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COP

CVE-2007-2231

all versions

Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remo

CVE-2006-5973

all versions

Off-by-one buffer overflow in Dovecot 1.0test53 through 1.0.rc14, and possibly other versions, when index files are used and mmap_

CVE-2006-2414

all versions

Directory traversal vulnerability in Dovecot 1.0 beta and 1.0 allows remote attackers to list files and directories under the mbox

CVE-2006-0730

<= 1.0beta2

Multiple unspecified vulnerabilities in Dovecot before 1.0beta3 allow remote attackers to cause a denial of service (application c