9.8
CVE-2025-26794
- EPSS 75.78%
- Veröffentlicht 21.02.2025 13:15:11
- Zuletzt bearbeitet 18.12.2025 19:16:22
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 75.78% | 0.995 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| cve@mitre.org | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://github.com/Exim/exim/wiki/EximSecurity
https://bugzilla.suse.com/show_bug.cgi?id=1237424
https://code.exim.org/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305
https://exim.org
https://github.com/NixOS/nixpkgs/pull/383926
https://github.com/openbsd/ports/commit/584d2c49addce9ca0ae67882cc16969104d7f82d
https://www.exim.org/static/doc/security/CVE-2025-26794.txt
http://www.openwall.com/lists/oss-security/2025/02/19/1
http://www.openwall.com/lists/oss-security/2025/02/21/4
http://www.openwall.com/lists/oss-security/2025/02/21/5
https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txt