OESA-2026-2209 postfix security update

Postfix is a Mail Transport Agent MTA. Security Fixes: Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.CVE-2026-43964...

Improper Certificate Validation

CKAN is vulnerable to Improper Certificate Validation. The vulnerability is due to insufficient validation of SMTP server certificates, allowing attackers to spoof the configured mail server using invalid or self-signed certificates and enabling man-in-the-middle attacks against email traffic and...

CVE-2026-42185

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user including users with no current domain access to the...

CVE-2026-42185 People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user including users with no current domain access to the...

CVE-2026-42185

CVE-2026-42185 - People (La Suite): Prior to version 1.25.0, an authenticated user with Administrator on a mail domain could send a crafted invitation to elevate any user to Owner, yielding full domain ownership without the target’s acceptance. This is a privilege-escalation in the invitation flo...

CVE-2026-42185 People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user including users with no current domain access to the...

CVE-2026-42185

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user including users with no current domain access to the...

ROS-20260508-73-0008

Vulnerability in roundcubemail related to the inclusion of features from an invalid controlled scope. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...

ROS-20260508-73-0016

A vulnerability in the ngxmailauthauthhttpmodule module of the NGINX Plus and NGINX Open Source HTTP server is related to NULL pointer dereferencing. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

📄 Exim 4.91 Remote Command Execution

Exim versions 4.87 through 4.91 improper recipient-address validation remote command execution exploit. Spawns a netcat shell on port 31415 as root, then connects to it Vulnerablity is within Exim 4.87-4.91 import subprocess import socket import os import time from subprocess import Popen, PIPE...

ROS-20260508-73-0007

Vulnerability in roundcubemail related to the use of an insecure alternate channel. Exploitation of the vulnerability could allow an attacker acting remotely to modify user projects and/or device configuration via cip commands...

CVE-2026-39820 Quadratic string concatentation in consumeComment in net/mail

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations...

CVE-2026-39820

CVE-2026-39820 relates to the Go net/mail package, specifically a quadratic string concatenation in the consumeComment path. This root cause can cause excessive CPU usage and memory allocations when parsing crafted inputs through functions like ParseAddress, ParseAddressList, and ParseDate. The p...

CVE-2026-39820 Quadratic string concatentation in consumeComment in net/mail

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations...

CVE-2026-42499 Quadratic string concatenation in consumePhrase in net/mail

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322...

CVE-2026-42499

CVE-2026-42499 affects the net/mail package’s consumePhrase routine, where pathological inputs can trigger DoS due to quadratic string concatenation when parsing RFC 5322 email addresses. This is documented across multiple feeds (NVD, CVE list, Debian, CIRCL, OSV GO-2026-4977, vulnrichment), indi...

CVE-2026-42499 Quadratic string concatenation in consumePhrase in net/mail

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322...

Allocation of Resources Without Limits or Throttling

Overview std/net/mail is a Go standard library package std/net/mail Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Pathological inputs could cause DoS through consumePhrase when parsing an email address according ...

GO-2026-4977 Quadratic string concatenation in consumePhrase in net/mail

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322...

GO-2026-4986 Quadratic string concatentation in consumeComment in net/mail

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations...