Known Vulnerabilities for products from Dovecot
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Dovecot".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-40020 json | Not Provided | 2026-05-12 | 2026-05-12 | |
| CVE-2026-33603 json | Not Provided | 2026-05-12 | 2026-05-12 | |
| CVE-2026-27860 json | If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads ... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2026-27859 json | A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted ... | Not Provided | 2026-03-27 | 2026-04-30 |
| CVE-2026-27858 json | Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of me... | Not Provided | 2026-03-27 | 2026-04-30 |
| CVE-2026-27857 json | Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will re... | Not Provided | 2026-03-27 | 2026-04-30 |
| CVE-2026-27856 json | Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use th... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2026-27855 json | Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username i... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2026-24031 json | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2026-0394 json | When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash ... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2025-59032 json | ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve s... | Not Provided | 2026-03-27 | 2026-04-30 |
| CVE-2025-59031 json | Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. A... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2022-30550 json | An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exi... | 8.8 - HIGH | 2022-07-17 | 2024-01-12 |
| CVE-2021-33515 json | The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be r... | 4.8 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2021-29157 json | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authenticat... | 5.5 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2020-28200 json | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a com... | 4.3 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2020-25275 json | Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted ema... | 7.5 - HIGH | 2021-01-04 | 2023-11-07 |
| CVE-2020-24386 json | An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via... | 6.8 - MEDIUM | 2021-01-04 | 2023-11-07 |
| CVE-2020-12674 json | In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is... | 7.5 - HIGH | 2020-08-12 | 2023-11-07 |
| CVE-2020-12673 json | In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bound... | 7.5 - HIGH | 2020-08-12 | 2023-11-07 |
Known software with vulnerabilities from Dovecot
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Dovecot | Dovecot | - |
| Application | Dovecot | Pigeonhole | 0.1.0 |