CVE-2026-42006 is a medium-severity vulnerability in Dovecot's IMAP implementation, published 2026-05-12 and modified 2026-05-18. The issue represents an incomplete fix for CVE-2026-27857, where excessive brace characters in IMAP commands could trigger uncontrolled memory consumption. The original remediation only addressed closing braces, leaving open braces as an attack vector. An authenticated attacker [truncated]
CVE-2026-40020 is a LOW-severity vulnerability (CVSS 3.1) in Dovecot affecting versions prior to 2.4.4 and Dovecot Pro prior to 3.1.5. Published 2026-05-12 and last modified 2026-05-18, this issue allows an authenticated attacker with IMAP access to inject the 'anyone' permission into a user's dovecot-acl file via the SETACL command, even when the imap_acl_allow_anyone configuration option is set to no. T [truncated]
CVE-2026-27851 is a HIGH severity vulnerability (CVSS 7.4) in Dovecot affecting versions prior to 2.4.4 and Dovecot Pro prior to 3.1.5. The flaw occurs when the `safe` filter is used with variable expansion, causing all subsequent pipelines on the same string to be incorrectly interpreted as safe. This improper handling enables unsafe data to be unescaped, which can facilitate SQL or LDAP injection attack [truncated]
