CVE-2026-58451

Source
https://cve.org/CVERecord?id=CVE-2026-58451
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58451.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58451
Downstream
Published
2026-07-01T18:16:09.328Z
Modified
2026-07-08T08:13:48.319206765Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Horde IMP < 7.0.1 Path Traversal via Compose.php img src
Details

Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing filegetcontents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58451.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/horde/imp

Affected ranges

Type
GIT
Repo
https://github.com/horde/imp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.0.1"
        }
    ]
}

Affected versions

v5.*
v5.0.0
v5.0.0alpha1
v5.0.0beta1
v5.0.0rc1
v5.0.0rc2
v5.0.1
v5.0.10
v5.0.11
v5.0.12
v5.0.13
v5.0.14
v5.0.15
v5.0.16
v5.0.17
v5.0.18
v5.0.19
v5.0.2
v5.0.20
v5.0.21
v5.0.22
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v6.*
v6.0.0
v6.0.0beta3
v6.0.0beta4
v6.0.0rc1
v6.0.0rc2
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.1.0
v6.1.0beta1
v6.1.0beta2
v6.1.0rc1
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.2.0alpha1
v6.2.0beta1
v6.2.0beta2
v7.*
v7.0.0
v7.0.0RC1
v7.0.0RC2
v7.0.0RC3
v7.0.0RC4
v7.0.0RC5
v7.0.0alpha1
v7.0.0alpha10
v7.0.0alpha11
v7.0.0alpha12
v7.0.0alpha13
v7.0.0alpha14
v7.0.0alpha15
v7.0.0alpha16
v7.0.0alpha17
v7.0.0alpha18
v7.0.0alpha2
v7.0.0alpha4
v7.0.0alpha5
v7.0.0alpha6
v7.0.0alpha7
v7.0.0alpha8
v7.0.0alpha9
v7.0.0beta1
v7.0.0beta2
v7.0.0beta3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58451.json"