CVE-2026-2469

High

Published: 14 February 2026

Published

14 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

EPSS Score 0.0002 6.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2469 is a high-severity Injection (CWE-74) vulnerability in Snyk (inferred from references). Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1114.002 Remote Email Collection Collection

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Remote injection vulnerability (CWE-74) in public-facing PHP IMAP library enables T1190 exploitation; directly facilitates arbitrary IMAP command execution for mailbox read access (T1114.002) and deletion/disruption (T1485).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP…

ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.

Deeper analysisAI

CVE-2026-2469 is an injection vulnerability (CWE-74) affecting versions of the PHP package directorytree/imapengine prior to 1.22.3. The issue resides in the id() function within ImapConnection.php, where user input is not properly escaped before being included in IMAP ID commands, allowing improper neutralization of special elements in output used by a downstream component. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).

An attacker with low privileges can exploit this over the network with low complexity and no user interaction required. By injecting quote characters (") or CRLF sequences (\r\n) into the input, they can execute arbitrary valid IMAP commands on the victim's mailbox, enabling actions such as reading or deleting emails, terminating the victim's session, or other mailbox manipulations.

Mitigation involves upgrading to version 1.22.3 or later, where the fix is implemented via commit 87fca56affd9527e6907a705e6d600c5174d9a5a and pull request #150 in the DirectoryTree/ImapEngine repository. Additional details are available in the Snyk advisory (SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300) and a related GitHub Gist.