Known Vulnerabilities for products from Dovecot
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Dovecot".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-27860 json | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2026-27855 json | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2026-24031 json | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2026-0394 json | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2025-59031 json | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2022-30550 json | An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exi... | 8.8 - HIGH | 2022-07-17 | 2024-01-12 |
| CVE-2021-33515 json | The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be r... | 4.8 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2021-29157 json | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authenticat... | 5.5 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2020-28200 json | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a com... | 4.3 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2020-25275 json | Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted ema... | 7.5 - HIGH | 2021-01-04 | 2023-11-07 |
| CVE-2020-24386 json | An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via... | 6.8 - MEDIUM | 2021-01-04 | 2023-11-07 |
| CVE-2020-12674 json | In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is... | 7.5 - HIGH | 2020-08-12 | 2023-11-07 |
| CVE-2020-12673 json | In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bound... | 7.5 - HIGH | 2020-08-12 | 2023-11-07 |
| CVE-2020-12100 json | In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of ... | 7.5 - HIGH | 2020-08-12 | 2023-11-07 |
| CVE-2020-10967 json | In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an... | 5.3 - MEDIUM | 2020-05-18 | 2023-11-07 |
| CVE-2020-10958 json | In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, s... | 5.3 - MEDIUM | 2020-05-18 | 2023-11-07 |
| CVE-2020-10957 json | In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereferen... | 7.5 - HIGH | 2020-05-18 | 2023-11-07 |
| CVE-2020-7957 json | The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read t... | 5.3 - MEDIUM | 2020-02-12 | 2023-11-07 |
| CVE-2020-7046 json | lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, ... | 7.5 - HIGH | 2020-02-12 | 2023-11-07 |
| CVE-2019-19722 json | In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are ... | 5.3 - MEDIUM | 2019-12-13 | 2023-11-07 |
Known software with vulnerabilities from Dovecot
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Dovecot | Dovecot | - |
| Application | Dovecot | Pigeonhole | 0.1.0 |