CVE-2026-2469

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.6 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H                                    

Vulnerability Description

Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.

Vulnerability Details

Published Date

February 14, 2026

Last Modified

February 18, 2026

CWE ID

CWE-74

Source

NVD

Vendor

composer

Product

directorytree/imapengine

External References

https://gist.github.com/wanamirulhakim/74b41589cdea3c07c3375e5946960778
https://github.com/DirectoryTree/ImapEngine/commit/87fca56affd9527e6907a705e6d600c5174d9a5a
https://github.com/DirectoryTree/ImapEngine/pull/150
https://security.snyk.io/vuln/SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300

CVE-2026-2469

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment