What is CVE-2026-27851?

CVE-2026-27851 is a high-severity vulnerability in Dovecot, classified under CWE-235. CVSS score: 7.4/10. Published 2026-05-12.

How severe is CVE-2026-27851?

High severity. CVSS v3 base score is 7.4 out of 10.

Vulnerability in Dovecot

CVE-2026-27851

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentic…

EPSS: 0.000 (3.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.4 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Dovecot
Open-xchange Dovecot
Open-xchange Gmbh Ox Dovecot Pro — versions 0

Weakness classification (CWE)

CWE-235

References

security@open-xchange.com (vendor-advisory, Vendor Advisory)

Frequently asked questions

What is CVE-2026-27851?: CVE-2026-27851 is a high-severity vulnerability in Dovecot, classified under CWE-235. CVSS score: 7.4/10. Published 2026-05-12.
How severe is CVE-2026-27851?: High severity. CVSS v3 base score is 7.4 out of 10.