What is the CVSS score of CVE-2026-27851?

CVE-2026-27851 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of OX Dovecot Pro are affected by CVE-2026-27851?

CVE-2026-27851 affects OX Dovecot Pro's safe filter and enables SQL/LDAP injection attacks during authentication workflows through improper variable expansion handling.. A patch is available.

OX Dovecot Pro CVE-2026-27851

EUVD-2026-29467 HIGH

Improper Handling of Extra Parameters (CWE-235)

2026-05-12 OX

GHSA-xfpv-rrgm-4qqr

Code Injection Suse

7.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 12, 2026 - 14:15 vuln.today

CVE Published

May 12, 2026 - 13:28 nvd

HIGH 7.4

DescriptionNVD

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.

AnalysisAI

Improper neutralization in OX Dovecot Pro's safe filter allows injection attacks when variable expansion is used, bypassing input sanitization on subsequent pipelines. Network-accessible attackers can exploit this filter logic flaw to inject malicious SQL or LDAP queries during authentication workflows, potentially enabling unauthorized access or data exfiltration. …

RemediationAI

Within 24 hours: Identify all systems running OX Dovecot Pro and document current versions in use; disable safe filter variable expansion if operationally feasible pending patch availability. Within 7 days: Implement network-level access controls restricting Dovecot authentication endpoints to trusted sources only; enable enhanced logging on authentication pipelines to detect injection attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-27851 vulnerability details – vuln.today

Back

OX Dovecot Pro CVE-2026-27851

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code