Known Vulnerabilities for products from Open-xchange
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Open-xchange".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-27860 json | If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads ... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2026-27859 json | A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted ... | Not Provided | 2026-03-27 | 2026-04-30 |
| CVE-2026-27858 json | Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of me... | Not Provided | 2026-03-27 | 2026-04-30 |
| CVE-2026-27857 json | Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will re... | Not Provided | 2026-03-27 | 2026-04-30 |
| CVE-2026-27856 json | Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use th... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2026-27855 json | Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username i... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2026-24031 json | Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypa... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2026-0394 json | When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash ... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2025-59032 json | ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve s... | Not Provided | 2026-03-27 | 2026-04-30 |
| CVE-2025-59031 json | Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. A... | Not Provided | 2026-03-27 | 2026-04-29 |
| CVE-2023-29052 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 5.4 - MEDIUM | 2024-01-08 | 2024-01-22 |
| CVE-2023-29051 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 8.1 - HIGH | 2024-01-08 | 2024-01-22 |
| CVE-2023-29050 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 9.6 - CRITICAL | 2024-01-08 | 2024-01-12 |
| CVE-2023-29049 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 6.1 - MEDIUM | 2024-01-08 | 2024-01-12 |
| CVE-2023-29048 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 8.8 - HIGH | 2024-01-08 | 2024-01-12 |
| CVE-2023-29047 json | Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to ... | 7.3 - HIGH | 2023-11-02 | 2024-01-12 |
| CVE-2023-29046 json | Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead ... | 4.3 - MEDIUM | 2023-11-02 | 2024-01-12 |
| CVE-2023-29045 json | Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Scrip... | 5.4 - MEDIUM | 2023-11-02 | 2024-01-12 |
| CVE-2023-29044 json | Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected ... | 5.4 - MEDIUM | 2023-11-02 | 2024-01-12 |
| CVE-2023-29043 json | Presentations may contain references to images, which are user-controlled, and could include malicious script code that is be... | 6.1 - MEDIUM | 2023-11-02 | 2024-01-12 |
Known software with vulnerabilities from Open-xchange
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Open-xchange | App Suite | 7.4.2 |
| Application | Open-xchange | Connector | 7.2.25 |
| Application | Open-xchange | Open-xchange Appsuite | 6.20.7 |
| Application | Open-xchange | Open-xchange Appsuite Backend | 7.6.3 |
| Application | Open-xchange | Open-xchange Appsuite Documentconverter | 7.8.3 |
| Application | Open-xchange | Open-xchange Appsuite Frontend | 7.6.3 |
| Application | Open-xchange | Open-xchange Appsuite Office | 7.8.3 |
| Application | Open-xchange | Open-xchange Appsuite Office-web | 7.8.3 |
| Application | Open-xchange | Open-xchange Documentconverter | 7.6.3 |
| Application | Open-xchange | Open-xchange Documentconverter Api | 7.8.3 |
| Application | Open-xchange | Open-xchange Documents | 7.8.3 |
| Application | Open-xchange | Open-xchange Documents Frontend | 7.6.3 |
| Application | Open-xchange | Open-xchange Driverestricted | 7.6.3 |
| Application | Open-xchange | Open-xchange Drive Restricted | 7.8.3 |
| Application | Open-xchange | Open-xchange Eas | 7.8.3 |
| Application | Open-xchange | Open-xchange Middleware | 7.8.3 |
| Application | Open-xchange | Open-xchange Notifier | 1.0.6 |
| Application | Open-xchange | Open-xchange Office | 7.6.3 |
| Application | Open-xchange | Open-xchange Office-web | 7.8.3 |
| Application | Open-xchange | Open-xchange Office Web | 7.6.3 |