{"id":"CVE-2026-58451","summary":"Horde IMP \u003c 7.0.1 Path Traversal via Compose.php img src","details":"Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.","modified":"2026-07-08T08:13:48.319206765Z","published":"2026-07-01T18:16:09.328Z","database_specific":{"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58451.json","cwe_ids":["CWE-22"]},"references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2026/Jul/8"},{"type":"WEB","url":"https://www.horde.org/apps/imp"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58451.json"},{"type":"ADVISORY","url":"https://github.com/horde/imp/releases/tag/v7.0.1"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58451"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/horde-imp-path-traversal-via-compose-php-img-src"},{"type":"REPORT","url":"https://github.com/horde/imp/pull/85"},{"type":"FIX","url":"https://github.com/horde/imp/commit/fba972fab72ee6871e5d56e6390bee38593085de"},{"type":"PACKAGE","url":"https://github.com/horde/imp"},{"type":"EVIDENCE","url":"https://blog.evan.lat/posts/CVE-2026-58451/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/horde/imp","events":[{"introduced":"0"},{"fixed":"d3f0ce22fb68ccbf0d45ae35b538c0007e047415"},{"fixed":"fba972fab72ee6871e5d56e6390bee38593085de"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"7.0.1"}]}}],"versions":["v7.0.0","v7.0.0RC5","v7.0.0RC4","v7.0.0RC3","v7.0.0RC2","v7.0.0RC1","v7.0.0beta3","v7.0.0beta2","v7.0.0beta1","v7.0.0alpha18","v7.0.0alpha17","v7.0.0alpha16","v7.0.0alpha15","v7.0.0alpha14","v7.0.0alpha13","v7.0.0alpha12","v7.0.0alpha11","v7.0.0alpha10","v7.0.0alpha9","v7.0.0alpha8","v7.0.0alpha7","v7.0.0alpha6","v7.0.0alpha5","v7.0.0alpha4","v7.0.0alpha2","v7.0.0alpha1","v6.2.0beta2","v6.2.0beta1","v6.2.0alpha1","v6.1.6","v6.1.5","v6.1.4","v6.1.3","v6.1.2","v6.1.1","v6.1.0","v6.1.0rc1","v6.1.0beta2","v6.1.0beta1","v6.0.4","v6.0.3","v6.0.2","v6.0.1","v6.0.0","v6.0.0rc2","v6.0.0rc1","v6.0.0beta4","v6.0.0beta3","v5.0.22","v5.0.21","v5.0.20","v5.0.19","v5.0.18","v5.0.17","v5.0.16","v5.0.15","v5.0.14","v5.0.13","v5.0.12","v5.0.11","v5.0.10","v5.0.9","v5.0.8","v5.0.7","v5.0.6","v5.0.5","v5.0.4","v5.0.3","v5.0.2","v5.0.1","v5.0.0","v5.0.0rc2","v5.0.0rc1","v5.0.0beta1","v5.0.0alpha1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58451.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}