CVE-2026-58451: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in horde imp
Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.
AI Analysis
Technical Summary
CVE-2026-58451 is a path traversal vulnerability in Horde IMP before version 7.0.1, specifically in lib/Compose.php. Authenticated attackers can exploit this by embedding directory traversal sequences after a CKEditor path prefix in image source URLs, bypassing the stripos() prefix validation. This causes the file_get_contents() function to read arbitrary files from the server filesystem. The contents of these files are then exfiltrated as MIME parts in outgoing emails. Additionally, unauthenticated exploitation is possible through CSRF attacks against an active authenticated session. The vulnerability has a CVSS 4.0 score of 7.1, indicating high severity.
Potential Impact
Successful exploitation allows attackers to read arbitrary files on the server, potentially exposing sensitive information. The exfiltration of file contents occurs via MIME parts in outgoing emails, which could lead to data leakage. The vulnerability can be exploited both by authenticated users and unauthenticated attackers leveraging CSRF, increasing the attack surface.
Mitigation Recommendations
A fix is available in Horde IMP version 7.0.1. Users should upgrade to version 7.0.1 or later to remediate this vulnerability. Patch status is not explicitly confirmed in the vendor advisory, but the affected versions are prior to 7.0.1, indicating that upgrading to 7.0.1 addresses the issue. Until upgraded, restrict access to the affected component and monitor for suspicious email activity related to MIME parts containing unexpected file contents.
CVE-2026-58451: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in horde imp
Description
Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.
CVSS v4.0
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-58451 is a path traversal vulnerability in Horde IMP before version 7.0.1, specifically in lib/Compose.php. Authenticated attackers can exploit this by embedding directory traversal sequences after a CKEditor path prefix in image source URLs, bypassing the stripos() prefix validation. This causes the file_get_contents() function to read arbitrary files from the server filesystem. The contents of these files are then exfiltrated as MIME parts in outgoing emails. Additionally, unauthenticated exploitation is possible through CSRF attacks against an active authenticated session. The vulnerability has a CVSS 4.0 score of 7.1, indicating high severity.
Potential Impact
Successful exploitation allows attackers to read arbitrary files on the server, potentially exposing sensitive information. The exfiltration of file contents occurs via MIME parts in outgoing emails, which could lead to data leakage. The vulnerability can be exploited both by authenticated users and unauthenticated attackers leveraging CSRF, increasing the attack surface.
Mitigation Recommendations
A fix is available in Horde IMP version 7.0.1. Users should upgrade to version 7.0.1 or later to remediate this vulnerability. Patch status is not explicitly confirmed in the vendor advisory, but the affected versions are prior to 7.0.1, indicating that upgrading to 7.0.1 addresses the issue. Until upgraded, restrict access to the affected component and monitor for suspicious email activity related to MIME parts containing unexpected file contents.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-30T20:20:33.789Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a455e5b27e9c79719f17ae7
Added to database: 07/01/2026, 18:37:15 UTC
Last enriched: 07/01/2026, 18:51:18 UTC
Last updated: 07/01/2026, 19:31:45 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.