Known Vulnerabilities for products from Dovecot
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Dovecot".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-27860 | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2026-27855 | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2026-24031 | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2026-0394 | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2025-59031 | Not Provided | 2026-03-27 | 2026-03-27 | |
| CVE-2021-33515 | The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be r... | 4.8 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2021-29157 | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authenticat... | 5.5 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2020-28200 | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a com... | 4.3 - MEDIUM | 2021-06-28 | 2023-11-07 |
| CVE-2020-25275 | Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted ema... | 7.5 - HIGH | 2021-01-04 | 2023-11-07 |
| CVE-2020-24386 | An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via... | 6.8 - MEDIUM | 2021-01-04 | 2023-11-07 |
| CVE-2020-12674 | In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is... | 7.5 - HIGH | 2020-08-12 | 2023-11-07 |
| CVE-2020-12673 | In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bound... | 7.5 - HIGH | 2020-08-12 | 2023-11-07 |
| CVE-2020-12100 | In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of ... | 7.5 - HIGH | 2020-08-12 | 2023-11-07 |
| CVE-2020-10967 | In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an... | 5.3 - MEDIUM | 2020-05-18 | 2023-11-07 |
| CVE-2020-10958 | In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, s... | 5.3 - MEDIUM | 2020-05-18 | 2023-11-07 |
| CVE-2020-10957 | In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereferen... | 7.5 - HIGH | 2020-05-18 | 2023-11-07 |
| CVE-2020-7957 | The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read t... | 5.3 - MEDIUM | 2020-02-12 | 2023-11-07 |
| CVE-2020-7046 | lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, ... | 7.5 - HIGH | 2020-02-12 | 2023-11-07 |
| CVE-2019-19722 | In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are ... | 5.3 - MEDIUM | 2019-12-13 | 2023-11-07 |
| CVE-2019-11500 | In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted ... | 9.8 - CRITICAL | 2019-08-29 | 2023-11-07 |
Known software with vulnerabilities from Dovecot
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Dovecot | Dovecot | - |
| Application | Dovecot | Pigeonhole | 0.1.0 |