CVE-2025-26794

exim: Exim: remote SQL injection

Description

Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)

INFO

Published Date :

2025-02-21T00:00:00.000Z

Last Modified :

2025-12-18T18:21:01.192Z

Source :

mitre

AFFECTED PRODUCTS

The following products are affected by CVE-2025-26794 vulnerability.

Vendors	Products
Exim	Exim

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-26794.

URL	Resource
http://www.openwall.com/lists/oss-security/2025/02/19/1
http://www.openwall.com/lists/oss-security/2025/02/21/4
http://www.openwall.com/lists/oss-security/2025/02/21/5
https://bugzilla.suse.com/show_bug.cgi?id=1237424
https://code.exim.org/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305
https://exim.org
https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txt
https://github.com/Exim/exim/wiki/EximSecurity
https://github.com/NixOS/nixpkgs/pull/383926
https://github.com/openbsd/ports/commit/584d2c49addce9ca0ae67882cc16969104d7f82d
https://www.cve.org/CVERecord?id=CVE-2025-26794
https://www.exim.org/static/doc/security/CVE-2025-26794.txt

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact