CVE-2026-2469 HIGH

CVE-2026-2469

Vendor N/A
Product directorytree/imapengine
Weakness CWE-74
Published February 14, 2026
Last update February 17, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:P

What the vulnerability does

01Description

Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.

Key dates

02Disclosure timeline

February 14, 2026 CVE published
February 17, 2026 Record updated