SQL Injection Vulnerability in Z-Push IMAP Backend by Z-Push Development Team
CVE-2025-8264

9.1CRITICAL

Key Information:

Vendor: Z-Push Development Team
Status: Z-push/z-push-dev
Vendor: CVE Published:; 29 July 2025

🔔 Create Z-Push Development Team Vulnerability Alert

What is CVE-2025-8264?

Versions of Z-Push prior to 2.7.6 contain a vulnerability in the IMAP backend due to the use of unparameterized queries. This weakness allows attackers to execute SQL Injection attacks by crafting malicious inputs, particularly through the username field during basic authentication. Consequently, unauthorized individuals may gain access to sensitive information, modify data, or delete records in a linked third-party database. It is crucial for users to configure their IMAP settings securely and consider switching to LDAP to mitigate this risk.

Affected Version(s)

z-push/z-push-dev 0 < 2.7.6

References

https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-1090...

https://xbow.com/blog/xbow-zpush-sqli/

https://github.com/Z-Hub/Z-Push/pull/161/commits/f981d515...

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 29, 2025
Vulnerability Reserved
Jul 26, 2025

Credit

XBOW