https://blog.kalfaoglu.net/tags/dovecot/Recent content in Dovecot on kalfaoglu.netHugoenMon, 04 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-04-dovecot-security-advisory-en/Mon, 04 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-04-dovecot-security-advisory-en/<p>In late March, the Dovecot team published advisory <a href="https://seclists.org/fulldisclosure/2026/Mar/13">OXDC-ADV-2026-0001</a> — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention.</p> <p>Here is a breakdown of what matters, in roughly descending order of alarm.</p> <h2 id="the-serious-ones">The Serious Ones</h2> <p><strong>CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH)</strong></p>