Cyber Resilience

CVE-2025-8264

High

Published: 29 July 2025

Published
29 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 7.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 60.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8264 is a high-severity SQL Injection (CWE-89) vulnerability in Snyk (inferred from references). Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-8264 is a SQL injection vulnerability (CWE-89) affecting versions of the z-push/z-push-dev package prior to 2.7.6. The issue stems from unparameterized queries in the IMAP backend, specifically when the IMAP_FROM_SQL_QUERY option is configured in Z-Push installations. This flaw enables attackers to inject malicious SQL commands through the username field during basic authentication, potentially compromising linked third-party databases.

An unauthenticated remote attacker can exploit this vulnerability over the network with high attack complexity, requiring no user interaction and no privileges, as indicated by its CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation grants access to sensitive data in the database and allows modification or deletion of records, with the impact amplified due to the changed scope.

Mitigation involves updating to version 2.7.6 or later, where the issue is addressed via patches in the referenced GitHub pull request. As an immediate workaround, administrators should modify the configuration in backend/imap/config.php to disable SQL queries for IMAP_FROM by setting define('IMAP_DEFAULTFROM', ''); or define('IMAP_DEFAULTFROM', 'ldap'); to use the default or LDAP backend instead.

EU & UK References

Vulnerability details

Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access…

more

and potentially modify or delete sensitive data from a linked third-party database. **Note:** This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap');

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing Z-Push IMAP backend directly enables remote unauthenticated exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Snyk
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of untrusted inputs like the username field in basic authentication to block SQL injection via unparameterized IMAP backend queries.

prevent

Requires timely patching of the z-push package to version 2.7.6 or later, remediating the SQL injection flaw in the IMAP backend.

prevent

Mandates secure configuration settings in backend/imap/config.php to disable vulnerable IMAP_FROM_SQL_QUERY and use default or LDAP instead.

References