mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Conclusion & alert: CVE-2009-3766 is rated Moderate Risk (49.6/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.14%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.52% | 1.14% | +0.62% |
| 2 | 2026-06-06 | 0.40% | 0.52% | +0.12% |
| 3 | 2026-04-12 | — | 0.40% | — |
Full EPSS history (18 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2009-3766 unimportant priority: Debian including 1 source packages (mutt), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2009-3766 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2009-3766 |
ubuntu
|
negligible | CVE-2009-3766 negligible priority: Ubuntu including 1 source packages (mutt), 7 status rows across 7 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, upstream): ignored 6, needs-triage 1. | https://ubuntu.com/security/CVE-2009-3766 |
Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3766 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.
| URL | Tags |
|---|---|
| http://dev.mutt.org/trac/ticket/3087 | Patch Vendor Advisory |
| http://marc.info/?l=oss-security&m=125198917018936&w=2 | Mailing List Third Party Advisory |
| http://www.openwall.com/lists/oss-security/2009/10/26/1 | Mailing List Third Party Advisory |