Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-58451: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in horde imp

0
High
VulnerabilityCVE-2026-58451cvecve-2026-58451
Published: 07/01/2026 (07/01/2026, 18:16:09 UTC)
Source: CVE Database V5
Vendor/Project: horde
Product: imp

Description

Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.

CVSS v4.0

Score 7.1high

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
None
Vuln. Availability
None
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected software

GitHub Actionsmore threats →cve
imp
pkg:github/imp
Affected versions
<7.0.1

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/01/2026, 18:51:18 UTC

Technical Analysis

CVE-2026-58451 is a path traversal vulnerability in Horde IMP before version 7.0.1, specifically in lib/Compose.php. Authenticated attackers can exploit this by embedding directory traversal sequences after a CKEditor path prefix in image source URLs, bypassing the stripos() prefix validation. This causes the file_get_contents() function to read arbitrary files from the server filesystem. The contents of these files are then exfiltrated as MIME parts in outgoing emails. Additionally, unauthenticated exploitation is possible through CSRF attacks against an active authenticated session. The vulnerability has a CVSS 4.0 score of 7.1, indicating high severity.

Potential Impact

Successful exploitation allows attackers to read arbitrary files on the server, potentially exposing sensitive information. The exfiltration of file contents occurs via MIME parts in outgoing emails, which could lead to data leakage. The vulnerability can be exploited both by authenticated users and unauthenticated attackers leveraging CSRF, increasing the attack surface.

Mitigation Recommendations

A fix is available in Horde IMP version 7.0.1. Users should upgrade to version 7.0.1 or later to remediate this vulnerability. Patch status is not explicitly confirmed in the vendor advisory, but the affected versions are prior to 7.0.1, indicating that upgrading to 7.0.1 addresses the issue. Until upgraded, restrict access to the affected component and monitor for suspicious email activity related to MIME parts containing unexpected file contents.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
VulnCheck
Date Reserved
2026-06-30T20:20:33.789Z
Cvss Version
4.0
State
PUBLISHED
Remediation Level
null

Threat ID: 6a455e5b27e9c79719f17ae7

Added to database: 07/01/2026, 18:37:15 UTC

Last enriched: 07/01/2026, 18:51:18 UTC

Last updated: 07/01/2026, 19:31:45 UTC

Views: 6

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses