CVE-2025-59031

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dovecot:dovecot::::::::
	cpe:2.3:a:open-xchange:dovecot:::::pro:::*
	cpe:2.3:a:open-xchange:dovecot:::::pro:::*

History

29 Apr 2026, 19:13

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dovecot:dovecot:::::::: cpe:2.3:a:open-xchange:dovecot:::::pro:::*
First Time		Open-xchange Open-xchange dovecot Dovecot Dovecot dovecot
References	~~() https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json -~~	() https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json - Vendor Advisory

27 Mar 2026, 09:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 09:16

Updated : 2026-04-29 19:13

NVD link : CVE-2025-59031

Mitre link : CVE-2025-59031

CVE.ORG link : CVE-2025-59031

JSON object : View

Products Affected

open-xchange

dovecot

dovecot

dovecot

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

4.3 /10