QwikSec

Security Database

CVE

CWE

Training

CVE-2026-2469

Published: Feb 14, 2026

Modified: Feb 17, 2026

PUBLISHED

CVSS v3.1

7.6

HIGH

Description

Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.

Vendor	Product	Versions
n/a	directorytree/imapengine	affected `0 - < 1.22.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

References

https://security.snyk.io/vuln/SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300

https://github.com/DirectoryTree/ImapEngine/pull/150

https://github.com/DirectoryTree/ImapEngine/commit/87fca56affd9527e6907a705e6d600c5174d9a5a

https://gist.github.com/wanamirulhakim/74b41589cdea3c07c3375e5946960778

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.