Eight CVEs, One IMAP Server: Patching the Dovecot Security Bundle
In late March, the Dovecot team published advisory OXDC-ADV-2026-0001 — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention. Here is a breakdown of what matters, in roughly descending order of alarm. The Serious Ones CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH) ...