CVE-2026-58451

NameCVE-2026-58451
DescriptionHorde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-horde-imp (PTS)bullseye6.2.27-2vulnerable
bullseye (security)6.2.27-2+deb11u1vulnerable
bookworm6.2.27-3vulnerable
sid6.2.27-3.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
horde3source(unstable)(unfixed)
php-horde-impsource(unstable)(unfixed)

Notes

https://github.com/horde/imp/pull/85
Fixed by: https://github.com/horde/imp/commit/fba972fab72ee6871e5d56e6390bee38593085de (v7.0.1)

Search for package or bug name: Reporting problems