CVE-2025-15366

The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

CVSS

No CVSS.

References

Link	Resource
https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45
https://github.com/python/cpython/issues/143921
https://github.com/python/cpython/pull/143922
https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El módulo imaplib, cuando se le pasa un comando controlado por el usuario, puede tener comandos adicionales inyectados usando saltos de línea. La mitigación rechaza comandos que contienen caracteres de control.

20 Jan 2026, 23:16

Type	Values Removed	Values Added
References		() https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45 -

20 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-20 22:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-15366

Mitre link : CVE-2025-15366

CVE.ORG link : CVE-2025-15366

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2025-15366", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cna@python.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-20T22:15:51.023", "references": [{"url": "https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/issues/143921", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/pull/143922", "source": "cna@python.org"}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/", "source": "cna@python.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cna@python.org", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters."}, {"lang": "es", "value": "El m\u00f3dulo imaplib, cuando se le pasa un comando controlado por el usuario, puede tener comandos adicionales inyectados usando saltos de l\u00ednea. La mitigaci\u00f3n rechaza comandos que contienen caracteres de control."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cna@python.org"}