Skip to main content

Imp

4 CVEs product

Monthly

CVE-2026-58451 HIGH PATCH This Week

Arbitrary file disclosure in Horde IMP webmail before 7.0.1 lets an authenticated user read any file the web server can access by planting directory-traversal sequences after a CKEditor path prefix inside an image src URL when composing mail. A weak stripos() prefix check fails to block traversal appended after the allowed prefix, so file_get_contents() pulls in files like /etc/passwd or configuration secrets and attaches them as MIME parts on the outgoing message. No public exploit identified at time of analysis, but VulnCheck published an advisory and the flaw is CSRF-triggerable against a live session, raising practical exposure for internet-facing Horde deployments.

CSRF Path Traversal PHP Imp
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2012-6640 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Groupware Imp
NVD GitHub VulDB
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-5565 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Imp Groupware
NVD GitHub VulDB
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-0791 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Dynamic Imp Imp Groupware Webmail Edition
NVD
CVSS 2.0
4.3
EPSS
0.6%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file disclosure in Horde IMP webmail before 7.0.1 lets an authenticated user read any file the web server can access by planting directory-traversal sequences after a CKEditor path prefix inside an image src URL when composing mail. A weak stripos() prefix check fails to block traversal appended after the allowed prefix, so file_get_contents() pulls in files like /etc/passwd or configuration secrets and attaches them as MIME parts on the outgoing message. No public exploit identified at time of analysis, but VulnCheck published an advisory and the flaw is CSRF-triggerable against a live session, raising practical exposure for internet-facing Horde deployments.

CSRF Path Traversal PHP +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Groupware Imp
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Imp Groupware
NVD GitHub VulDB
EPSS 1% CVSS 4.3
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Dynamic Imp Imp +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy