CVE-2026-27851

EUVD-2026-29467
When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
dovecotdovecot
𝑥
< 2.4.4
open-xchangedovecot
𝑥
< 3.1.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u5
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u6
fixed
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
bullseye (security)
1:2.3.13+dfsg1-2+deb11u4
fixed
forky
1:2.4.4+dfsg1-1
fixed
sid
1:2.4.4+dfsg1-1
fixed
trixie
vulnerable
trixie (security)
1:2.4.1+dfsg1-6+deb13u6
fixed
Common Weakness Enumeration
References
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json