CVE-2026-40016
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
| CWE | CWE-400 |
| Vendor | open-xchange gmbh |
| Product | ox dovecot pro |
| Published | May 12, 2026 |
| Last Updated | May 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for open-xchange gmbh ox dovecot pro
Be the first to know when new medium vulnerabilities affecting open-xchange gmbh ox dovecot pro are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Open-Xchange GmbH / OX Dovecot Pro
0 โค 2.3.0