Description
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
Published: 2026-03-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential data exposure through unauthorized file indexing
Action: Replace Script
AI Analysis

Impact

The vulnerability exists in a script that converts email attachments into plain text for full‑text search. The script uncritically processes zip‑style attachments, allowing a malicious OOXML document to create arbitrary files on the server. Those files are then indexed by the FTS engine, making them discoverable. This presents an information‑exposure risk (CWE‑200) because an attacker can cause sensitive files to appear in search results.

Affected Systems

This issue affects the Open‑Xchange GmbH OX Dovecot Pro product. Any installation that includes the default attachment conversion script is potentially impacted. The advisory does not specify version ranges, so all current releases using this script are considered vulnerable.

Risk and Exploitability

The CVSS base score is 4.3, indicating moderate severity. EPSS data is not available and no public exploits are documented. The vulnerability is not in the KEV list. Exploitation requires an attacker to send a specially crafted OOXML attachment that the server processes. The attack vector is therefore internal email handling; it does not provide remote code execution but enables unauthorized file indexing.

Generated by OpenCVE AI on March 27, 2026 at 09:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or remove the default attachment conversion script in OX Dovecot Pro.
  • Replace the script with a secure alternative, such as the Tika‑based FTS solution.
  • Verify that no unintended files are being indexed after changes.
  • Review the FTS index regularly for unexpected content.

Generated by OpenCVE AI on March 27, 2026 at 09:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Unsafe Attachment Conversion Script Allows Unauthorized File Indexing via Crafted OOXML

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:33:21.043Z

Reserved: 2025-09-08T14:22:28.105Z

Link: CVE-2025-59031

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T09:16:18.783

Modified: 2026-03-27T09:16:18.783

Link: CVE-2025-59031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:47Z

Weaknesses