CVE-2026-40016 is a Dovecot vulnerability where a malicious Sieve script can bypass configured CPU time limits by as much as 130 times the intended limit. The issue can be reached through ManageSieve or local script handling and can be used to degrade server performance. Public sources in this corpus do not report known exploits.
CVE-2026-33603 affects Dovecot and can let a network-positioned attacker fake SCRAM TLS channel binding through a specially crafted base64 exchange. If the attacker can sit between the client and Dovecot connection, the result may be man-in-the-middle interception of communications. NVD records affected versions before 2.4.4 for Dovecot and before 3.1.5 for Dovecot Pro, with no public exploit known in the [truncated]
CVE-2016-8652 is a remote denial-of-service issue in Dovecot's auth component when auth-policy is configured. According to the supplied NVD record, an attacker can cause a crash by aborting authentication before a username is set. The affected version range is Dovecot versions before 2.2.27.