pkg:Alpine/dovecot
34 total CVEsCRITICAL1HIGH18MEDIUM15
✅ Check your installed version
All known vulnerabilities
- from 0, < 2.3.7.2-r0
- HIGH8.8CVE-2022-30550An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20.from 0, < 2.3.19.1-r5
- HIGH8.2CVE-2026-24031Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin.from 0, < 2.4.3-r0
- from 0, < 2.3.5.1-r0
- HIGH7.5CVE-2026-27857Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage.from 0, < 2.4.3-r0
- HIGH7.5CVE-2025-59028When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fa…from 0, < 2.4.3-r0
- from 0, < 2.3.21.1-r0
- HIGH7.5CVE-2020-25275Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message wit…from 0, < 2.3.13-r0
- HIGH7.5CVE-2020-12674In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.from 0, < 2.3.10.1-r1
- HIGH7.5CVE-2020-12673In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.from 0, < 2.3.10.1-r1
- from 0, < 2.3.11.3-r0
- from 0, < 2.3.10.1-r0
- HIGH7.5CVE-2020-7046lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrate…from 0, < 2.3.10.1-r0
- HIGH7.5CVE-2019-11494In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during th…from 0, < 2.3.6-r0
- HIGH7.5CVE-2019-11499In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured c…from 0, < 2.3.6-r0
- HIGH7.5CVE-2019-10691The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate wi…from 0, < 2.3.6-r0
- from 0, < 2.3.1-r0
- from 0, < 2.4.2-r0
- from 0, < 2.3.1-r0
- from 0, < 2.3.13-r0
- from 0, < 2.3.4.1-r0
- MEDIUM5.9CVE-2026-27856Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack.from 0, < 2.4.3-r0
- MEDIUM5.9CVE-2026-27855Dovecot OTP authentication is vulnerable to replay attack under specific conditions.from 0, < 2.4.3-r0
- from 0, < 2.3.1-r0
- from 0, < 2.3.15-r0
- MEDIUM5.3CVE-2026-27860If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication.from 0, < 2.4.3-r0
- MEDIUM5.3CVE-2026-27859A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU.from 0, < 2.4.3-r0
- MEDIUM5.3CVE-2020-10967In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpa…from 0, < 2.3.10.1-r0
- MEDIUM5.3CVE-2020-10958In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or…from 0, < 2.3.10.1-r0
- MEDIUM5.3CVE-2020-7957The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the…from 0, < 2.3.10.1-r0
- MEDIUM5.3CVE-2019-19722In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because…from 0, < 2.3.9.2-r0
- from 0, < 2.3.21.1-r0
- from 0, < 2.3.15-r0
- from 0, < 2.4.3-r0