Skip to main content

Postfix

4 CVEs product

Monthly

CVE-2026-43964 HIGH PATCH This Week

Remote denial of service in the Postfix mail transfer agent (before 3.8.16, 3.9.x before 3.9.10, and 3.10.x before 3.10.9) lets attackers crash the process through a malformed enhanced status code that ends immediately after the third numeric component with no trailing text, triggering a buffer over-read. The flaw affects availability only - no data exposure or code execution - and has no public exploit identified at time of analysis. EPSS is very low (0.04%, 11th percentile) and CISA SSVC rates exploitation as none and non-automatable, consistent with a crash-only bug.

Denial Of Service Postfix
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2023-51764 MEDIUM POC This Month

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Postfix Fedora Enterprise Linux
NVD GitHub
CVSS 3.1
5.3
EPSS
2.6%
CVE-2020-12063 MEDIUM POC This Month

A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \xce\xbf to the 'o'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Postfix
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2012-0811 MEDIUM POC This Month

Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Postfix
NVD
CVSS 2.0
6.5
EPSS
0.5%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in the Postfix mail transfer agent (before 3.8.16, 3.9.x before 3.9.10, and 3.10.x before 3.10.9) lets attackers crash the process through a malformed enhanced status code that ends immediately after the third numeric component with no trailing text, triggering a buffer over-read. The flaw affects availability only - no data exposure or code execution - and has no public exploit identified at time of analysis. EPSS is very low (0.04%, 11th percentile) and CISA SSVC rates exploitation as none and non-automatable, consistent with a crash-only bug.

Denial Of Service Postfix
NVD VulDB
EPSS 3% CVSS 5.3
MEDIUM POC This Month

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Postfix Fedora +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \xce\xbf to the 'o'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Postfix
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Postfix
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy