Description
Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.
Published: 2026-02-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Apply Patch
AI Analysis

Impact

ImapEngine versions prior to 1.22.3 embed user supplied data directly into IMAP ID commands without proper escaping. This flaw, classified as CWE-74, allows an attacker to inject quote characters or CRLF sequences into the command string. By exploiting this, an attacker can read or delete mailbox contents, terminate a victim’s IMAP session, or execute any valid IMAP command on the victim’s mailbox, resulting in unauthorized data exposure, loss, or modification.

Affected Systems

The vulnerable product is DirectoryTree’s ImapEngine. All releases before 1.22.3 are affected. No other major versions are listed as impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate severity, while an EPSS score of less than 1 % suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a specially crafted IMAP ID command, which implies that a user session or an automated IMAP client can act as the attack vector. Based on the description, the likely attack path involves feeding unsanitized input into the id() function from a downstream IMAP component.

Generated by OpenCVE AI on April 17, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImapEngine to version 1.22.3 or later to remove the injection flaw.
  • If an upgrade cannot be performed immediately, sanitize all data supplied to the id() function by escaping quotation marks and CRLF sequences before constructing the IMAP ID command, thereby mitigating CWE‑74.
  • Implement least‑privilege controls for ImapEngine and monitor IMAP logs for anomalous ID command activity to detect potential exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rfq9-4wcm-64gh ImapEngine affected by command injection via the ID command parameters
History

Tue, 17 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Directorytree
Directorytree imapengine
Vendors & Products Directorytree
Directorytree imapengine

Sat, 14 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:P'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Directorytree Imapengine
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-02-17T20:01:40.343Z

Reserved: 2026-02-13T14:30:50.548Z

Link: CVE-2026-2469

cve-icon Vulnrichment

Updated: 2026-02-17T20:01:36.416Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T05:16:22.270

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:08Z

Weaknesses