Description
Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.
References (4)
Core 4
Core References
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300
Issue Tracking
https://github.com/DirectoryTree/ImapEngine/pull/150
Scores
CVSS v3
7.6
EPSS
0.0002
EPSS Percentile
6.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (2)
directorytree/imapengine
0 - 1.22.3Packagist
n/a/directorytree/imapengine
< 1.22.3
Published
Feb 14, 2026
Tracked Since
Feb 18, 2026