CVE-2026-2469

Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/wanamirulhakim/74b41589cdea3c07c3375e5946960778
https://github.com/DirectoryTree/ImapEngine/commit/87fca56affd9527e6907a705e6d600c5174d9a5a
https://github.com/DirectoryTree/ImapEngine/pull/150
https://security.snyk.io/vuln/SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Versiones del paquete directorytree/imapengine anteriores a la 1.22.3 son vulnerables a la Neutralización Incorrecta de Elementos Especiales en la Salida Utilizada por un Componente Descendente ('Inyección') a través de la función id() en ImapConnection.PHP debido al escape incorrecto de la entrada del usuario antes de incluirla en los comandos IMAP ID. Esto permite a los atacantes leer o eliminar los correos electrónicos de la víctima, terminar la sesión de la víctima o ejecutar cualquier comando IMAP válido en el buzón de la víctima al incluir caracteres de comillas " o secuencias CRLF \r\n en la entrada.

14 Feb 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-14 05:16

Updated : 2026-06-17 10:31

NVD link : CVE-2026-2469

Mitre link : CVE-2026-2469

CVE.ORG link : CVE-2026-2469

JSON object : View

Products Affected

No product.

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2026-2469", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-2469", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T20:01:32.912561Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "report@snyk.io", "affectedData": [{"vendor": "n/a", "product": "directorytree/imapengine", "versions": [{"status": "affected", "version": "0", "lessThan": "1.22.3", "versionType": "semver"}]}]}], "published": "2026-02-14T05:16:22.270", "references": [{"url": "https://gist.github.com/wanamirulhakim/74b41589cdea3c07c3375e5946960778", "source": "report@snyk.io"}, {"url": "https://github.com/DirectoryTree/ImapEngine/commit/87fca56affd9527e6907a705e6d600c5174d9a5a", "source": "report@snyk.io"}, {"url": "https://github.com/DirectoryTree/ImapEngine/pull/150", "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300", "source": "report@snyk.io"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters \" or CRLF sequences \\r\\n in the input."}, {"lang": "es", "value": "Versiones del paquete directorytree/imapengine anteriores a la 1.22.3 son vulnerables a la Neutralizaci\u00f3n Incorrecta de Elementos Especiales en la Salida Utilizada por un Componente Descendente ('Inyecci\u00f3n') a trav\u00e9s de la funci\u00f3n id() en ImapConnection.PHP debido al escape incorrecto de la entrada del usuario antes de incluirla en los comandos IMAP ID. Esto permite a los atacantes leer o eliminar los correos electr\u00f3nicos de la v\u00edctima, terminar la sesi\u00f3n de la v\u00edctima o ejecutar cualquier comando IMAP v\u00e1lido en el buz\u00f3n de la v\u00edctima al incluir caracteres de comillas \" o secuencias CRLF \\r\\n en la entrada."}], "lastModified": "2026-06-17T10:31:07.087", "sourceIdentifier": "report@snyk.io"}