CVE-2025-8264
CRITICALz-push-dev < 2.7.6 - SQL Injection via IMAP Username Field
Title source: llmDescription
Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and potentially modify or delete sensitive data from a linked third-party database. **Note:** This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap');
References (5)
Core 5
Core References
Various Sources
https://github.com/Z-Hub/Z-Push/blob/af25a2169a50d6e05a5916d1e8b2b6cd17011c98/src/backend/imap/user_identity.php%23L211C9-L214C25
Various Sources
https://xbow.com/blog/xbow-zpush-sqli/
Issue Tracking
https://github.com/Z-Hub/Z-Push/pull/161
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180
Scores
CVSS v3
9.0
EPSS
0.0038
EPSS Percentile
29.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
n/a/z-push/z-push-dev
< 2.7.6
z-push/z-push-dev
0 - 2.7.6Packagist
Published
Jul 29, 2025
Tracked Since
Feb 18, 2026