CURL-CVE-2026-8286 wrong STARTTLS connection reuse

A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not...

USN-8431-1: Ruby vulnerabilities

It was discovered that Ruby's Net::IMAP library did not properly verify that Transport Layer Security TLS encryption was started after issuing a STARTTLS command. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and silently bypass TLS encryption...

USN-8431-1 ruby2.3, ruby2.5 vulnerabilities

It was discovered that Ruby's Net::IMAP library did not properly verify that Transport Layer Security TLS encryption was started after issuing a STARTTLS command. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and silently bypass TLS encryption...

SUSE SLES15 Security Update : python-Django (SUSE-SU-2026:2318-1)

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2318-1 advisory. This update for python-Django fixes the following issues - CVE-2026-6873: signed cookie salt namespace collision in...

Fedora 43 : python-django5 (2026-f140cb16b6)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-f140cb16b6 advisory. Fixes five low-severity CVEs - CVE-2026-6873: Signed cookie salt namespace collision - CVE-2026-7666: Potential unencrypted email transmission via...

CVE-2020-37248

A flaw was found in OfflineIMAP. This vulnerability allows a remote attacker to perform a man-in-the-middle attack by exploiting the client's trust in the server's STARTTLS capability before authentication. This can lead to the attacker taking over the connection and extracting sensitive account...

UBUNTU-CVE-2020-37248

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext...

CVE-2020-37248

OfflineIMAP prior to version 8.0.3 is affected by a STARTTLS trust issue: the client trusts the server’s STARTTLS capability before authentication, enabling man-in-the-middle attacks that can exfiltrate credentials in cleartext. This vulnerability can enable an attacker to take over the connectio...

PT-2026-47305

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext...

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information in the EmailBackend function when a failed STARTTLS handshake occurs and failsilently=True is set. An attacker can intercept and read email content by performing a man-in-the-middle attack...

EUVD-2026-34087

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read ema...

CVE-2026-7666

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read ema...

UBUNTU-CVE-2026-7666

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read ema...

PT-2026-45948

Name of the Vulnerable Software and Affected Versions Django versions prior to 6.0.6 Django versions prior to 5.2.15 Description An issue exists in django.core.mail.backends.smtp.EmailBackend where the system fails to prevent the reuse of a partially-initialized connection following a failed...

Astra Linux – Vulnerability in exim4

The STARTTLS feature in Exim up to 4.94.2 allows for response injection buffering during MTA SMTP sending...

Unity Linux 20.1060e / 20.1070e Security Update: ruby (UTSA-2026-017525)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017525 advisory. An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unkno...

Improper Enforcement of Behavioral Workflow

Overview Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow via the starttls function. An attacker can intercept and manipulate the communication by injecting a crafted response before the client completes sending the command, causing the connection to...

Astra Linux – Vulnerability in Thunderbird

During the plaintext phase of the STARTTLS connection setup, protocol commands could be injected and evaluated within the encrypted session. This vulnerability affects Thunderbird 78.7...

Astra Linux – Vulnerability in dovecot

The submission service in Dovecot before 2.3.15 allowed for STARTTLS command injection in the lib-smtp library. Sensitive information could be redirected to an address controlled by the attacker...

CVE-2026-41319

MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication...