Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
ImapEngine: Malicious Input Can Delete or Read Emails
CVE-2026-2469
GHSA-rfq9-4wcm-64gh
Summary
Older versions of ImapEngine are at risk of being tricked into deleting or reading emails by sending malicious input. This could also allow an attacker to end the user's email session or execute unauthorized commands on their mailbox. Update to version 1.22.3 or later to fix this issue.
What to do
- Update directorytree imapengine to version 1.22.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| directorytree | imapengine | <= 1.22.3 | 1.22.3 |
Original title
ImapEngine affected by command injection via the ID command parameters
Original description
Versions of the package `directorytree/imapengine` before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters `"` or CRLF sequences `\r\n` in the input.
nvd CVSS3.1
7.6
nvd CVSS4.0
7.2
Vulnerability type
CWE-74
Injection
- https://gist.github.com/wanamirulhakim/74b41589cdea3c07c3375e5946960778
- https://github.com/DirectoryTree/ImapEngine/commit/87fca56affd9527e6907a705e6d60...
- https://github.com/DirectoryTree/ImapEngine/pull/150
- https://security.snyk.io/vuln/SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300
- https://nvd.nist.gov/vuln/detail/CVE-2026-2469
- https://github.com/advisories/GHSA-rfq9-4wcm-64gh
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026