AgenticMail API/storage and outbound relay hardening fixes

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct...

RockyLinux 8 : python3 (RLSA-2026:2128)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:2128 advisory. cpython: wsgiref.headers.Headers allows header newline injection in Python CVE-2026-0865 cpython: IMAP command injection in user-controlled commands...

RLSA-2026:2128 Moderate: python3 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

CLSA-2026-1778750122 Fix CVE(s): CVE-2026-27857

SECURITY UPDATE: imap-login excessive memory usage DoS ELSCVE-123445 - debian/patches/CVE-2026-27857.patch: limit IMAP parser open list count via new imapparserparams struct; cap pre-auth IMAPLOGINLISTCOUNTLIMIT to 1. Squashes upstream commits 825bc297, d0f67b52, af1fb4da, 3435e0d44. -...

FreeBSD : zeek -- potential DoS vulnerability (e665f0a2-fe6d-44b0-ba9e-d383f055a8a3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the e665f0a2-fe6d-44b0-ba9e-d383f055a8a3 advisory. Wojtulewicz of Corelight reports: A specially-crafted series of MIME headers sent via SMTP or HTTP coul...

CVE-2026-35504

PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication...

CVE-2026-35504

CVE-2026-35504 affects PowerSYSTEM Center's email notification service, with a CRLF injection vulnerability when using SMTPS. The available data provides CVSS 4.0/3.1 base metrics (MEDIUM) and does not specify affected versions, root cause details, exploitation status, or remediation. The descrip...

CVE-2026-40020

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imapaclallowanyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed...

CVE-2026-42006

CVE-2026-42006 describes that an attacker can cause uncontrolled memory usage by sending excessive bracing over IMAP. The underlying issue is an incomplete fix (CVE-2026-27857) that blocked only one of two vulnerability paths—closing braces but allowing open braces to bypass the limit. The result...

CVE-2026-42006

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass t...

CVE-2026-42006

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass t...

PT-2026-40431

PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication...

PT-2026-40030

Name of the Vulnerable Software and Affected Versions dovecot versions prior to 2.4.4-1.1 Description An attacker can cause uncontrolled memory usage via excessive bracing over IMAP. A previous fix was incomplete as it only blocked closing braces, allowing the memory limit to be bypassed using op...

Unity Linux 20.1060e / 20.1070e Security Update: fetchmail (UTSA-2026-017438)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017438 advisory. Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. Tenable has extracted...

Unity Linux 20.1060e / 20.1070e Security Update: curl (UTSA-2026-017570)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017570 advisory. When curl = 7.20.0 and = 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back...

DEBIAN-CVE-2026-42257

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled...

DEBIAN-CVE-2026-42245

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are...

DEBIAN-CVE-2026-42246

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAPstarttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10,...

CVE-2026-42256

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational...

EUVD-2026-28927

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched ...