Cyber Resilience

CVE-2026-2469

High

Published: 14 February 2026

Published
14 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 6.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2469 is a high-severity Injection (CWE-74) vulnerability in Snyk (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-2469 is an injection vulnerability (CWE-74) affecting versions of the PHP package directorytree/imapengine prior to 1.22.3. The issue resides in the id() function within ImapConnection.php, where user input is not properly escaped before being included in IMAP ID commands, allowing improper neutralization of special elements in output used by a downstream component. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).

An attacker with low privileges can exploit this over the network with low complexity and no user interaction required. By injecting quote characters (") or CRLF sequences (\r\n) into the input, they can execute arbitrary valid IMAP commands on the victim's mailbox, enabling actions such as reading or deleting emails, terminating the victim's session, or other mailbox manipulations.

Mitigation involves upgrading to version 1.22.3 or later, where the fix is implemented via commit 87fca56affd9527e6907a705e6d600c5174d9a5a and pull request #150 in the DirectoryTree/ImapEngine repository. Additional details are available in the Snyk advisory (SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300) and a related GitHub Gist.

EU & UK References

Vulnerability details

Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP…

more

ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1114.002 Remote Email Collection Collection
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Remote injection vulnerability (CWE-74) in public-facing PHP IMAP library enables T1190 exploitation; directly facilitates arbitrary IMAP command execution for mailbox read access (T1114.002) and deletion/disruption (T1485).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33202Shared CWE-74
CVE-2024-39604Shared CWE-74
CVE-2025-20337Shared CWE-74
CVE-2025-64428Shared CWE-74
CVE-2026-45344Shared CWE-74
CVE-2026-25814Shared CWE-74
CVE-2026-27727Shared CWE-74
CVE-2026-26002Shared CWE-74
CVE-2026-31816Shared CWE-74
CVE-2026-32695Shared CWE-74

Affected Assets

Snyk
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper neutralization of special elements by requiring filtering of outputs sent to the downstream IMAP server, preventing injection of quotes or CRLF sequences.

prevent

Requires validation of user inputs to the id() function to block malicious payloads like quotes or CRLF before inclusion in IMAP ID commands.

prevent

Ensures timely remediation of the specific injection flaw in directorytree/imapengine by identifying and applying patches such as version 1.22.3.

References