CVE-2026-58451
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
Horde IMP before version 7.0.1 contains a path traversal vulnerability in lib/Compose.php. Authenticated attackers can read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending traversal sequences after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.
Risk Assessment
The risk for the organization includes leakage of sensitive data such as configuration files, passwords, or user data through arbitrary file reads from the server. The attack can be performed by an authenticated user or remotely via CSRF, increasing the attack surface.
Recommendation
Immediately update Horde IMP to version 7.0.1 or later. Additionally, implement CSRF protection mechanisms such as anti-CSRF tokens and restrict file read permissions for the server process.
Original NVD description (English source)
Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.

