CVE-2026-2469

Name of the Vulnerable Software and Affected Versions directorytree/imapengine versions prior to 1.22.3

Description The software contains a flaw due to improper handling of user-supplied data before it is used in IMAP ID commands within the ImapConnection.php file. Specifically, the id() function does not adequately escape user input, which can lead to the injection of special characters like quote characters " or CRLF sequences r . Successful exploitation could allow an attacker to read or delete a victim's emails, terminate the victim's session, or execute arbitrary valid IMAP commands on the victim's mailbox.

Recommendations Update to version 1.22.3 or later.