CVE-2026-2469
Published: 14 February 2026
Summary
CVE-2026-2469 is a high-severity Injection (CWE-74) vulnerability in Snyk (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-2469 is an injection vulnerability (CWE-74) affecting versions of the PHP package directorytree/imapengine prior to 1.22.3. The issue resides in the id() function within ImapConnection.php, where user input is not properly escaped before being included in IMAP ID commands, allowing improper neutralization of special elements in output used by a downstream component. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
An attacker with low privileges can exploit this over the network with low complexity and no user interaction required. By injecting quote characters (") or CRLF sequences (\r\n) into the input, they can execute arbitrary valid IMAP commands on the victim's mailbox, enabling actions such as reading or deleting emails, terminating the victim's session, or other mailbox manipulations.
Mitigation involves upgrading to version 1.22.3 or later, where the fix is implemented via commit 87fca56affd9527e6907a705e6d600c5174d9a5a and pull request #150 in the DirectoryTree/ImapEngine repository. Additional details are available in the Snyk advisory (SNYK-PHP-DIRECTORYTREEIMAPENGINE-15274300) and a related GitHub Gist.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6070
Vulnerability details
Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP…
more
ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote injection vulnerability (CWE-74) in public-facing PHP IMAP library enables T1190 exploitation; directly facilitates arbitrary IMAP command execution for mailbox read access (T1114.002) and deletion/disruption (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper neutralization of special elements by requiring filtering of outputs sent to the downstream IMAP server, preventing injection of quotes or CRLF sequences.
Requires validation of user inputs to the id() function to block malicious payloads like quotes or CRLF before inclusion in IMAP ID commands.
Ensures timely remediation of the specific injection flaw in directorytree/imapengine by identifying and applying patches such as version 1.22.3.