๐Ÿ” CVE Alert

CVE-2026-58451

MEDIUM 6.5

Horde IMP < 7.0.1 Path Traversal via Compose.php img src

CVSS Score
6.5
EPSS Score
0.3%
EPSS Percentile
26th

Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.

CWE CWE-22
Vendor horde
Product imp
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for horde imp

Be the first to know when new medium vulnerabilities affecting horde imp are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

horde / imp
0 < 7.0.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/horde/imp/releases/tag/v7.0.1 github.com: https://github.com/horde/imp/pull/85 github.com: https://github.com/horde/imp/commit/fba972fab72ee6871e5d56e6390bee38593085de horde.org: https://www.horde.org/apps/imp vulncheck.com: https://www.vulncheck.com/advisories/horde-imp-path-traversal-via-compose-php-img-src blog.evan.lat: https://blog.evan.lat/posts/CVE-2026-58451/

Credits

evan VulnCheck