CVE-2026-43861

EUVD-2026-26899
mutt before 2.3.2 does not check for '\0' in url_pct_decode.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
muttmutt
𝑥
< 2.3.2
CNA
Debian logo
Debian Releases
Debian Product
Codename
mutt
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
2.3.2-1
fixed
sid
2.4.0-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/muttmua/mutt/commit/12f54fe3b61f761c096fe95e95d5e3072af00ed2