Skip to main content

Ox Dovecot Pro

12 CVEs product

Monthly

CVE-2026-42006 MEDIUM PATCH This Month

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessive open braces in IMAP commands, bypassing the incomplete fix from CVE-2026-27857 which only blocked closing braces. An attacker with valid IMAP credentials can exhaust server memory up to the configured vsz_limit, crashing the IMAP process and disrupting mail service.

Denial Of Service Ox Dovecot Pro
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40020 LOW PATCH Monitor

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_allow_anyone configuration setting and inject the anyone permission into dovecot-acl files, enabling spam of mailbox folders to all users. The vulnerability requires authentication and elevated complexity conditions (CVSS 3.1), and no public exploits are known at the time of analysis.

Authentication Bypass Ox Dovecot Pro
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-27851 CRITICAL PATCH Act Now

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in the 'safe' template filter: when 'safe' is applied during variable expansion, every subsequent pipeline stage on the same string inherits the 'safe' designation, so attacker-controlled data that should be escaped is passed through unescaped. Because variable expansion is used to build authentication backend queries, this enables SQL or LDAP injection by remote unauthenticated attackers. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 2nd percentile).

Code Injection Ox Dovecot Pro
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27859 MEDIUM PATCH This Month

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormally high numbers of RFC 2231 MIME parameters, enabling remote denial of service without authentication or user interaction. Unauthenticated remote attackers can craft malicious MIME messages to trigger algorithmic complexity in parameter parsing, degrading mail service availability. No public exploit code is currently known, and patch availability has not been independently confirmed from the provided advisory reference.

Denial Of Service Ox Dovecot Pro
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27858 HIGH PATCH This Week

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attackers sending crafted messages. The vulnerability enables remote denial of service against the managesieve protocol without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), with a CVSS score of 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released a security advisory with remediation guidance.

Denial Of Service Ox Dovecot Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27857 HIGH PATCH This Week

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticated network attacker exhaust process memory by sending NOOP commands containing thousands of nested parentheses. Each such command consumes roughly 1 MB, and by withholding the terminating line-feed the attacker keeps the allocation alive; ~1000 concurrent connections from even a single source IP can pin around 1 GB, breaching the process VSZ limit and killing the service along with its proxied connections. There is no public exploit identified at time of analysis (EPSS 0.04%, percentile 12; CISA SSVC exploitation=none), but the vector is trivial and a vendor patch is available.

Denial Of Service Ox Dovecot Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27856 MEDIUM PATCH This Month

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing remote unauthenticated attackers to enumerate valid credentials through timing analysis and gain full administrative access to the doveadm management interface. The vulnerability affects OX Dovecot Pro installations with exposed doveadm HTTP service ports, carries a CVSS score of 7.4, and has no public exploit identified at time of analysis.

Oracle Authentication Bypass Ox Dovecot Pro
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24031 HIGH PATCH This Week

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up to 2.4.0) lets remote attackers log in as any user when an administrator has cleared the auth_username_chars setting. The flaw is a CWE-89 SQL injection in the SQL-backed authentication driver: with input character filtering disabled, attacker-controlled username data reaches the SQL auth query unsanitized, enabling both full authentication bypass and account enumeration. Reported by OX and tracked as EUVD-2026-16561; no public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none while assessing technical impact as total.

SQLi Ox Dovecot Pro
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-0394 MEDIUM PATCH This Month

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd when per-domain passwd files are misconfigured above /etc or when slash characters are added to the domain path component. Successful exploitation can expose system authentication data or make system users appear as valid mail users, leading to unauthorized access. No public exploit code is currently known, and the vulnerability requires specific misconfiguration to trigger, resulting in a moderate CVSS score of 5.3 with low confidentiality impact.

Path Traversal Ox Dovecot Pro
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-59032 HIGH PATCH This Week

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using literal format, enabling unauthenticated remote attackers to repeatedly crash the service and deny availability to legitimate users (CVSS 7.5, High availability impact). The vulnerability affects OX Dovecot Pro installations with ManageSieve enabled. No public exploit identified at time of analysis, and EPSS data was not provided in available intelligence.

Denial Of Service Ox Dovecot Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59031 MEDIUM PATCH This Month

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attackers to index unintended system files and contaminate full-text search indexes with sensitive content. Open-Xchange Dovecot Pro is affected. The vulnerability results in information disclosure (CWE-200) with a CVSS score of 4.3 and requires prior authentication; no public exploit identified at time of analysis.

Information Disclosure Ox Dovecot Pro
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-59028 MEDIUM PATCH This Month

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurrent active authentication sessions to fail and enabling denial-of-service attacks against login infrastructure. Unauthenticated remote attackers can trigger this condition with minimal attack complexity by sending malformed base64 sequences to the SASL authentication handler. No public exploit code is currently available, and the vulnerability carries a CVSS score of 5.3 reflecting limited availability impact without confidentiality or integrity compromise.

Information Disclosure Ox Dovecot Pro
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessive open braces in IMAP commands, bypassing the incomplete fix from CVE-2026-27857 which only blocked closing braces. An attacker with valid IMAP credentials can exhaust server memory up to the configured vsz_limit, crashing the IMAP process and disrupting mail service.

Denial Of Service Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_allow_anyone configuration setting and inject the anyone permission into dovecot-acl files, enabling spam of mailbox folders to all users. The vulnerability requires authentication and elevated complexity conditions (CVSS 3.1), and no public exploits are known at the time of analysis.

Authentication Bypass Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in the 'safe' template filter: when 'safe' is applied during variable expansion, every subsequent pipeline stage on the same string inherits the 'safe' designation, so attacker-controlled data that should be escaped is passed through unescaped. Because variable expansion is used to build authentication backend queries, this enables SQL or LDAP injection by remote unauthenticated attackers. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 2nd percentile).

Code Injection Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormally high numbers of RFC 2231 MIME parameters, enabling remote denial of service without authentication or user interaction. Unauthenticated remote attackers can craft malicious MIME messages to trigger algorithmic complexity in parameter parsing, degrading mail service availability. No public exploit code is currently known, and patch availability has not been independently confirmed from the provided advisory reference.

Denial Of Service Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attackers sending crafted messages. The vulnerability enables remote denial of service against the managesieve protocol without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), with a CVSS score of 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released a security advisory with remediation guidance.

Denial Of Service Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticated network attacker exhaust process memory by sending NOOP commands containing thousands of nested parentheses. Each such command consumes roughly 1 MB, and by withholding the terminating line-feed the attacker keeps the allocation alive; ~1000 concurrent connections from even a single source IP can pin around 1 GB, breaching the process VSZ limit and killing the service along with its proxied connections. There is no public exploit identified at time of analysis (EPSS 0.04%, percentile 12; CISA SSVC exploitation=none), but the vector is trivial and a vendor patch is available.

Denial Of Service Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing remote unauthenticated attackers to enumerate valid credentials through timing analysis and gain full administrative access to the doveadm management interface. The vulnerability affects OX Dovecot Pro installations with exposed doveadm HTTP service ports, carries a CVSS score of 7.4, and has no public exploit identified at time of analysis.

Oracle Authentication Bypass Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up to 2.4.0) lets remote attackers log in as any user when an administrator has cleared the auth_username_chars setting. The flaw is a CWE-89 SQL injection in the SQL-backed authentication driver: with input character filtering disabled, attacker-controlled username data reaches the SQL auth query unsanitized, enabling both full authentication bypass and account enumeration. Reported by OX and tracked as EUVD-2026-16561; no public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none while assessing technical impact as total.

SQLi Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd when per-domain passwd files are misconfigured above /etc or when slash characters are added to the domain path component. Successful exploitation can expose system authentication data or make system users appear as valid mail users, leading to unauthorized access. No public exploit code is currently known, and the vulnerability requires specific misconfiguration to trigger, resulting in a moderate CVSS score of 5.3 with low confidentiality impact.

Path Traversal Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using literal format, enabling unauthenticated remote attackers to repeatedly crash the service and deny availability to legitimate users (CVSS 7.5, High availability impact). The vulnerability affects OX Dovecot Pro installations with ManageSieve enabled. No public exploit identified at time of analysis, and EPSS data was not provided in available intelligence.

Denial Of Service Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attackers to index unintended system files and contaminate full-text search indexes with sensitive content. Open-Xchange Dovecot Pro is affected. The vulnerability results in information disclosure (CWE-200) with a CVSS score of 4.3 and requires prior authentication; no public exploit identified at time of analysis.

Information Disclosure Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurrent active authentication sessions to fail and enabling denial-of-service attacks against login infrastructure. Unauthenticated remote attackers can trigger this condition with minimal attack complexity by sending malformed base64 sequences to the SASL authentication handler. No public exploit code is currently available, and the vulnerability carries a CVSS score of 5.3 reflecting limited availability impact without confidentiality or integrity compromise.

Information Disclosure Ox Dovecot Pro
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy