directorytree/imapengine Injection Vulnerability (CVE-2026-2469)

Vulnerability Key Information Vulnerability Name Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affected Scope Package Name: directorytree/imapengine Version: <1.22.3 Vulnerability Details Introduction Date: February 4, 2022 Vulnerability ID: CVE-2026-2469 CWE: CWE-74 Severity: 7.2 (High) Threat Intelligence Exploit Maturity: Proof of Concept EPSS: 0.01% (3rd percentile) Vulnerability Description In affected versions, there is an issue with improper escaping of user input via the function in the file, leading to malicious input being included in the IMAP ID command. Attackers can exploit this by injecting quote characters or CRLF sequences into the input, enabling them to read or delete the victim's emails, terminate the victim's session, or execute any valid IMAP command on the victim's mailbox. Remediation Recommendation Upgrade to version 1.22.3 or higher. Related Links GitHub Commit GitHub Gist GitHub PR CVSS Base Score Attack Vector: Network Attack Complexity: Low Attack Requirements: None Required Privileges: Low User Interaction: None Reference Information Snyk ID: SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300 Publication Date: March 13, 2026 Disclosure Date: February 4, 2026 Contributor: Wan Amirul Hakim Wan Yuhainis

Goal Reached Thanks to every supporter — we hit 100%!

directorytree/imapengine Injection Vulnerability (CVE-2026-2469)