Search for packages
| purl | pkg:deb/debian/dovecot@1:2.3.13%2Bdfsg1-2%2Bdeb11u1?distro=trixie |
| Next non-vulnerable version | 1:2.3.13+dfsg1-2+deb11u2 |
| Latest non-vulnerable version | 1:2.4.4+dfsg1-1 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27s2-gng4-1bhh
Aliases: CVE-2026-40016 |
dovecot: Dovecot: Denial of Service due to Sieve script CPU limit bypass |
Affected by 0 other vulnerabilities. |
|
VCID-j93x-hyyh-gffr
Aliases: CVE-2026-42006 |
An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known. |
Affected by 0 other vulnerabilities. |
|
VCID-kkty-x6mj-mbct
Aliases: CVE-2020-28200 |
dovecot: insufficient protection against excessive resource usage allows for a DoS |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-mh7d-bnq4-6bdt
Aliases: CVE-2026-33603 |
dovecot: Dovecot: Information disclosure via SCRAM TLS channel binding bypass |
Affected by 0 other vulnerabilities. |
|
VCID-vc9j-tdn6-jfgn
Aliases: CVE-2026-40020 |
dovecot: dovecot: Denial of Service via IMAP SETACL command injection |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-19q8-h58d-wufu |
CVE-2008-5301
|
|
| VCID-1t6h-bk1d-1yhz | Dovecot possible privilege ascalation in ACL plugin |
CVE-2007-4211
|
| VCID-2nb4-u7v9-vbcw | cyrus-impad: CMU sieve buffer overflows |
CVE-2009-3235
|
| VCID-2u5e-kv5d-ryfw | dovecot: specially crafted email can cause mailbox to have permanently unaccessible mail |
CVE-2020-7957
|
| VCID-4163-hk21-9kcw | dovecot: bypass of the 'k' right in the ACL plugin |
CVE-2008-4578
|
| VCID-47z4-1gtw-wugn |
CVE-2019-10691
|
|
| VCID-4m5u-xma2-tfba | dovecot: command followed by sufficient number of newlines leads to use-after-free |
CVE-2020-10958
|
| VCID-56dg-t6gh-7yf8 | dovecot: IMAP hibernation function allows mail access |
CVE-2020-24386
|
| VCID-56n9-zct3-t7ce | dovecot: DoS (daemon hang) when parsing invalid IMAP APPEND command parameters |
CVE-2013-2111
|
| VCID-5akd-g19j-37fy | dovecot: Denial of service via mail MIME parsing |
CVE-2020-25275
|
| VCID-5v7d-yu61-sbab | dovecot: local attacker can login as any user and access their emails |
CVE-2021-29157
|
| VCID-6dby-2aqj-hybg | dovecot: Attacker can cause submission-login and lmtp processes to be exhausted leading to DoS |
CVE-2020-7046
|
| VCID-6ew2-3e6d-akcn | dovecot: Insecure permissions set for certain directories at installation time |
CVE-2009-3897
|
| VCID-6wma-nf8u-dbca | dovecot: Out of bound reads in dovecot NTLM implementation |
CVE-2020-12673
|
| VCID-7arx-6g2r-jyga | dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes |
CVE-2019-11500
|
| VCID-87s1-fruh-x7an | dovecot: Dovecot: Denial of Service via invalid SASL data |
CVE-2025-59028
|
| VCID-8bn6-jq33-4ffx | dovecot: Remote crash when auth-policy component is activated |
CVE-2016-8652
|
| VCID-95d8-y745-dqh1 | dovecot: per-user DoS via message with malformed headers |
CVE-2008-4907
|
| VCID-99s4-55w9-j3b6 | Dovecot in Apple Mac OS X 10.6.5 10H574 does not properly manage memory for user names, which allows remote authenticated users to read the private e-mail of other persons in opportunistic circumstances via standard e-mail clients accessing a user's own mailbox, related to a "memory aliasing issue." |
CVE-2010-4011
|
| VCID-9j4d-p1xm-sfcv | dovecot: very large headers can cause resource exhaustion when parsing message |
CVE-2024-23185
|
| VCID-9xqt-2r4s-9uay | dovecot: INBOX ACLs to newly created mailboxes propagation, possibly leading to weak ACLs |
CVE-2010-3304
|
| VCID-aaz6-snu5-jfcz |
CVE-2019-11499
|
|
| VCID-afuv-geup-nkep | dovecot: SSL/TLS handshake failures leading to a crash of the login process. |
CVE-2015-3420
|
| VCID-aw62-tgmq-6fab | dovecot: denial of service via specially crafted NOOP command |
CVE-2026-27857
|
| VCID-axkn-u28b-1faq | Dovecot: Admin permissions granted to the owner of each mailbox in a non-public namespace |
CVE-2010-3779
|
| VCID-c17c-a97m-47gb | dovecot: Improper certificate validation |
CVE-2019-3814
|
| VCID-ceby-8t12-4ufw |
CVE-2026-27851
|
|
| VCID-ckxs-7yjr-6uey | dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command |
CVE-2025-59032
|
| VCID-ct3t-73g3-13fb | dovecot: null pointer dereference in push notification driver |
CVE-2019-19722
|
| VCID-d1uh-4v5n-guef | Dovecot: Failed to properly update ACL cache, when multiple rules defined rights for one subject |
CVE-2010-3707
|
| VCID-d23w-vmk6-nbf7 | dovecot: malformed NOOP commands leads to DoS |
CVE-2020-10957
|
| VCID-dh51-6287-93ad | dovecot: Dovecot: Denial of Service via excessive RFC 2231 MIME parameters |
CVE-2026-27859
|
| VCID-dun5-27jk-8kc4 | dovecot: Dovecot: Authentication bypass and user enumeration due to cleared auth_username_chars configuration |
CVE-2026-24031
|
| VCID-dw5m-9e2j-4fbr |
CVE-2017-15130
|
|
| VCID-er7u-sp54-n3cm | dovecot: Dovecot: Information disclosure and authentication bypass via path traversal |
CVE-2026-0394
|
| VCID-exaa-hnht-7qgn | dovecot: premature disconnection from client during AUTH command leads to crash and possible DoS |
CVE-2019-11494
|
| VCID-fdu5-fb8e-1kfx | dovecot: authenticated remote bypass of intended access restrictions |
CVE-2011-2166
|
| VCID-gce5-4cmv-eka5 | dovecot: sending mail with empty quoted localpart leads to DoS |
CVE-2020-10967
|
| VCID-gu1j-c1y9-rffm | dovecot: plaintext commands injection |
CVE-2021-33515
|
| VCID-h9e3-yaft-1ugm |
CVE-2019-7524
|
|
| VCID-hcaa-pwqw-gqdq | dovecot: Dovecot: Authentication bypass and information disclosure via LDAP filter injection |
CVE-2026-27860
|
| VCID-jch2-nwds-vkb5 |
CVE-2017-15132
|
|
| VCID-k27q-823h-jyfv | dovecot: denial of service through maxxing out SSL connections |
CVE-2014-3430
|
| VCID-ke77-ck27-53ch | dovecot: proxy destination host name not checked against SSL certificate name |
CVE-2011-4318
|
| VCID-kgq9-rznb-9yg7 | Directory traversal in dovecot with zlib plugin |
CVE-2007-2231
|
| VCID-kr8j-syyj-wkgj |
CVE-2006-0730
|
|
| VCID-n1f1-ksm6-n3gs | dovecot: Dovecot: Replay attack allows unauthorized login via observed One-Time Password (OTP) exchange |
CVE-2026-27855
|
| VCID-nnw6-fyxr-fuer | dovecot LDAP+auth cache user login mixup |
CVE-2007-6598
|
| VCID-qg4y-q61f-8bhp | Dovecot: DoS (excessive CPU use) by processing email message with huge header |
CVE-2010-0745
|
| VCID-rgxy-4uar-fqae | dovecot: unauthorized login |
CVE-2008-1218
|
| VCID-sfmq-y2j4-gqbb | dovecot: Crash due to assert in RPA implementation |
CVE-2020-12674
|
| VCID-sgb1-xpjt-mqd5 | Dovecot: Failed to update ACL cache for mailboxes stored in private namespace |
CVE-2010-3706
|
| VCID-sxx7-tt6f-jqb5 | Off-by-one buffer overflow in Dovecot 1.0test53 through 1.0.rc14, and possibly other versions, when index files are used and mmap_disable is set to "yes," allows remote authenticated IMAP or POP3 users to cause a denial of service (crash) via unspecified vectors involving the cache file. |
CVE-2006-5973
|
| VCID-t3th-71h8-wucc | cyrus-imapd: buffer overflow in cyrus sieve |
CVE-2009-2632
|
| VCID-tbg7-zkcu-2qc7 | dovecot: denial of service via crafted message before authentication |
CVE-2026-27858
|
| VCID-tk1c-4mwv-1qcd | Dovecot in Apple Mac OS X 10.6 before 10.6.3, when Kerberos is enabled, does not properly enforce the service access control list (SACL) for sending and receiving e-mail, which allows remote authenticated users to bypass intended access restrictions via unspecified vectors. |
CVE-2010-0535
|
| VCID-tsb7-c8gk-83g4 | dovecot: incorrect handling of negative rights in the ACL plugin |
CVE-2008-4577
|
| VCID-tuza-vtd9-z7hu | dovecot: Dovecot: Information disclosure via specially crafted OOXML documents |
CVE-2025-59031
|
| VCID-uavn-awjd-53e6 | dovecot: potential crash when parsing header names that contain NUL characters |
CVE-2011-1929
|
| VCID-ueqc-nmv6-ubb2 | dovecot: Privilege escalation when similar master and non-master passdbs are used |
CVE-2022-30550
|
| VCID-uh1m-t8da-t3d9 | dovecot: using a large number of address headers may trigger a denial of service |
CVE-2024-23184
|
| VCID-uzhk-wy7n-d7by | dovecot insecure SSL/TLS key and certificate file creation |
CVE-2016-4983
|
| VCID-v17c-vtdw-dfay | Dovecot: Busy master process, receiving a lot of SIGCHLD signals rapidly while logging, could die |
CVE-2010-3780
|
| VCID-ws5q-ebk3-13ef | dovecot: Resource exhaustion via deeply nested MIME parts |
CVE-2020-12100
|
| VCID-wwhr-mbb6-uuhv | dovecot: insecure mail_extra_groups option |
CVE-2008-1199
|
| VCID-wxfb-w1h1-zugk | dovecot: directory traversal due to not obeying chroot directive |
CVE-2011-2167
|
| VCID-x1cz-qdvh-2yem | dovecot: passdb checkpassword authentication local bypass |
CVE-2013-6171
|
| VCID-x3ay-s2m7-7ufk | dovecot: Doveadm: Full access via timing oracle attack in credential verification |
CVE-2026-27856
|
| VCID-xa38-888u-sbhb | dovecot: Dovecot DoS when passdb dict was used for authentication |
CVE-2017-2669
|
| VCID-yfe7-1pf6-sfe9 |
CVE-2025-30189
|
|
| VCID-yth6-g595-1kdc |
CVE-2017-14461
|
|
| VCID-zc2y-4zjf-pfgm |
CVE-2006-2414
|