CVE-2026-41319

MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication...

CVE-2026-40193

maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll without any LDAP filter escaping, despite the...

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

...

Linux Distros Unpatched Vulnerability : CVE-2017-15042

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on...

CVE-2023-27582

maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted...

CVE-2023-27582

maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted...

PT-2023-21225 · Maddy · Maddy

Name of the Vulnerable Software and Affected Versions: maddy versions 0.2.0 through 0.6.2 Description: The issue allows for a full authentication bypass if a SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it i...

SUSE CVE-2017-12610

In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka...

CVE-2022-24755

Removed by vendor...

Cleartext Transmission of Sensitive Information

Overview std/net/smtp is a Go standard library package std/net/smtp Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information. Go Vulnerability Report:SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured...

GO-2021-0178 Cleartext transmission of credentials in net/smtp

SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured with TLS, exposing passwords to man-in-the-middle SMTP servers...

ALPINE-CVE-2019-11499

In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message...

UBUNTU-CVE-2019-11499

In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message...

golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting

It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application...

Vibease Wireless Remote Vibrator app for Android and Vibease Chat app for iOS vulnerabilities

Vibease Wireless Remote Vibrator app for Android is a wireless remote control app based on Android platform.Vibease Chat app for iOS is an online chat software based on iOS platform. A security vulnerability exists in the Vibease Wireless Remote Vibrator app for Android and the Vibease Chat app f...

Man-in-the-Middle (MitM)

github.com/golang/go is vulnerable to man-in-the-middle MitM attack. A malicious user can set up a MitM SMTP server that doesn't advertise STARTTLS and advertises that PLAIN authentication can be used. By doing this, smtp.PlainAuth will send the username and password will be sent to the server...

Apache Qpid Java Broker Denial of Service Vulnerability

Apache Qpid Java Broker is the United States Apache Apache Software Foundation developed a use of the Java language written for routing and forwarding mail message middleware. A security vulnerability exists in Apache Qpid Java Broker. When the PLAIN mechanism is enabled in the program, an attack...

eXtremail <= 2.1.1 PLAIN authentication Remote Stack Overflow Exploit

No description provided by source. / extremail-v6.c Copyright c 2006 by [email protected] eXtremail =2.1.1 remote root exploit x86-lnx by mu-b - Wed Oct 18 2006 - Tested on: eXtremail 2.1.1 lnx eXtremail 2.1.0 lnx Stack overflow in ifParseAuthPlain ...

eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow

/ extremail-v6.c Copyright c 2006 by eXtremail include include include include include define BUFSIZE 2048 define BBUFSIZE BUFSIZE/34+1 define NOP 0x41 define AUTHCMD "1 AUTHENTICATE PLAIN\n" define DEFPORT 143 define PORTIMAPD DEFPORT define PORTSHELL 4444 static const char movshelllnx =...