QwikSec

Security Database

CVE

CWE

Training

CVE-2025-8264

Published: Jul 29, 2025

Modified: Jul 29, 2025

PUBLISHED

CVSS v3.1

9.0

CRITICAL

Description

Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and potentially modify or delete sensitive data from a linked third-party database. **Note:** This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap');

Vendor	Product	Versions
n/a	z-push/z-push-dev	affected `0 - < 2.7.6`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180

https://xbow.com/blog/xbow-zpush-sqli/

https://github.com/Z-Hub/Z-Push/pull/161/commits/f981d515a35ac4c303959af21dce880a5db02786

https://github.com/Z-Hub/Z-Push/pull/161

https://github.com/Z-Hub/Z-Push/blob/af25a2169a50d6e05a5916d1e8b2b6cd17011c98/src/backend/imap/user_identity.php%23L211C9-L214C25

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.