CVE-2025-26794 HIGH

CVE-2025-26794

Vendor Exim
Product Exim
Weakness CWE-89 · SQLi
Published February 21, 2025
Last update December 18, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)

Key dates

02Disclosure timeline

February 21, 2025 CVE published
December 18, 2025 Record updated