mutt CVE Vulnerabilities & CVE List (52)

Products (CPE): — CVEs: 52

mutt vulnerability overview

Aggregates CVE and security vulnerability intelligence across all mutt-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.

Historical issues mainly involve vendor risk buffer overflow, vendor risk memory corruption, vendor risk input validation, and vendor risk path handling and related problems; some flaws may lead to vendor impact memory corruption.

Vulnerability distribution trend (last 24 months)

Showing 2140 of 52 CVEs
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2018-14359 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They have a buffer overflow via base64 data. [email protected] 9.8 4.10% 2018-07-17 2026-06-16
CVE-2018-14358 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long RFC822.SIZE field. [email protected] 9.8 3.91% 2018-07-17 2026-06-16
CVE-2018-14357 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription. [email protected] 9.8 4.95% 2018-07-17 2026-06-16
CVE-2018-14356 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c mishandles a zero-length UID. [email protected] 9.8 3.17% 2018-07-17 2026-06-16
CVE-2018-14355 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/util.c mishandles ".." directory traversal in a mailbox name. [email protected] 5.3 3.32% 2018-07-17 2026-06-16
CVE-2018-14354 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription. [email protected] 9.8 6.23% 2018-07-17 2026-06-16
CVE-2018-14353 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c has an integer underflow. [email protected] 9.8 3.70% 2018-07-17 2026-06-16
CVE-2018-14352 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c does not leave room for quote characters, leading to a stack-based buffer overflow. [email protected] 9.8 4.02% 2018-07-17 2026-06-16
CVE-2018-14351 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a long IMAP status mailbox literal count size. [email protected] 9.8 3.17% 2018-07-17 2026-06-16
CVE-2018-14350 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long INTERNALDATE field. [email protected] 9.8 5.02% 2018-07-17 2026-06-16
CVE-2018-14349 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a NO response without a message. [email protected] 9.8 3.17% 2018-07-17 2026-06-16
CVE-2014-9116 The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, which allows remote attackers to cause a denial of service (crash) via a header with an empty body, which triggers a heap-based buffer overflow in the mutt_substrdup function. [email protected] 5.0 9.69% 2014-12-02 2026-06-16
CVE-2014-0467 Buffer overflow in copy.c in Mutt before 1.5.23 allows remote attackers to cause a denial of service (crash) via a crafted RFC2047 header line, related to address expansion. [email protected] 5.0 5.16% 2014-03-14 2026-06-16
CVE-2011-1429 Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766. [email protected] 5.8 1.47% 2011-03-16 2026-06-16
CVE-2009-3766 mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. [email protected] 6.8 1.14% 2009-10-23 2026-06-16
CVE-2009-3765 mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. [email protected] 6.8 1.08% 2009-10-23 2026-06-16
CVE-2009-1390 Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack. [email protected] 6.8 1.92% 2009-06-16 2026-06-16
CVE-2007-2683 Buffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "&" characters in the GECOS field, which triggers the overflow during alias expansion. [email protected] 3.5 0.80% 2007-05-15 2026-06-16
CVE-2007-1268 Mutt 1.5.13 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Mutt from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. [email protected] 5.0 2.74% 2007-03-06 2026-06-16
CVE-2006-5298 The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and earlier does not properly verify that temporary files have been created with restricted permissions, which might allow local users to create files with weak permissions via a race condition between the mktemp and safe_fopen function calls. [email protected] 1.2 0.30% 2006-10-16 2026-06-16
cvelogic Threat Intelligence