Command Injection Vulnerability in Python library's imaplib Module
CVE-2025-15366

5.9MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
20 January 2026

What is CVE-2025-15366?

The imaplib module in Python is susceptible to command injection when user-controlled commands are processed. This vulnerability allows attackers to inject additional commands via newline characters, potentially leading to unauthorized command execution. It is crucial for developers to implement mitigations that reject any commands containing control characters to safeguard their applications against exploitation.

Affected Version(s)

CPython 0 < 3.15.0a6

References

https://github.com/python/cpython/issues/143921
issue-tracking
https://github.com/python/cpython/pull/143922
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.