CVE-2026-27851
7.4 HIGHWhen safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, ena...
Published: 2026-05-12 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 7.4 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-235
Affected products
| Vendor | Product |
|---|---|
| dovecot | dovecot |
| open-xchange | dovecot |
Description
When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-42006 — An attacker can cause uncontrolled memory usage with excessive bracing over IMAP (4.3 MEDIUM)
- CVE-2026-40020 — Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no (3.1 LOW)
- CVE-2026-40016 — Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 1... (5.3 MEDIUM)
- CVE-2026-33603 — Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding (6.8 MEDIUM)