Imap

On 5 May 2026, the Dovecot team published security advisory OXDC-2026-0002, covering five vulnerabilities fixed in OX Dovecot CE 2.4.4 (and Pro 3.1.5). If you are running Dovecot CE 2.4.3 or earlier, this is your prompt to upgrade. What’s in the advisory CVE-2026-27851 — SQL/LDAP injection via variable expansion (CVSS 7.4) The most serious of the five. When the safe filter is used in Dovecot’s variable expansion (lib-var-expand), it incorrectly treats all subsequent pipelines on the same string as safe too. The result: attacker-controlled data can bypass escaping and land unmodified in SQL or LDAP queries used for authentication. No public exploit exists yet, but CVSS 7.4 with a network attack vector and no required privileges is not something to sit on. If you cannot upgrade immediately, the workaround is to avoid the safe filter in your configuration until you can. ...

In late March, the Dovecot team published advisory OXDC-ADV-2026-0001 — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention. Here is a breakdown of what matters, in roughly descending order of alarm. The Serious Ones CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH) ...