Kevin J. McCarthy

6 exploits Active since May 2026
CVE-2026-43859 WRITEUP LOW WRITEUP
mutt < 2.3.2 - Improper Neutralization of Null Byte in IMAP CRAM-MD5 Authentication
mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.
CVSS 3.7
CVE-2026-43860 WRITEUP LOW WRITEUP
mutt < 2.3.2 - Off-by-one Error in IMAP CRAM-MD5 Password Hashing
mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest.
CVSS 3.7
CVE-2026-43861 WRITEUP LOW WRITEUP
mutt < 2.3.2 - Null Byte Injection in URL Percent Decoding
mutt before 2.3.2 does not check for '\0' in url_pct_decode.
CVSS 3.7
CVE-2026-43862 WRITEUP LOW WRITEUP
mutt < 2.3.2 - Type Confusion in IMAP GSSAPI Authentication
In mutt before 2.3.2, the imap_auth_gss security level is mishandled.
CVSS 3.7
CVE-2026-43863 WRITEUP LOW WRITEUP
mutt < 2.3.2 - Denial of Service via Infinite Loop in crypt-gpgme.c
mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c.
CVSS 3.7
CVE-2026-43864 WRITEUP LOW WRITEUP
mutt < 2.3.2 - NULL Pointer Dereference in show_sig_summary
mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.
CVSS 2.5