CVE-2025-26794

CVE Database · CVE-2025-26794

CVE-2025-26794

· HIGHModified

CVSS v3.1

7.5

EPSS

75.78%

Published

Feb 21, 2025

Modified

Dec 18, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses (CWE)

CWE-89

Affected Products (1)

exim · exim (up to 4.98.1)vulnerable

References (11)

https://bugzilla.suse.com/show_bug.cgi?id=1237424

Issue TrackingThird Party Advisory

https://code.exim.org/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305

Patch

https://exim.org

Product

https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txt

https://github.com/Exim/exim/wiki/EximSecurity

Vendor Advisory

https://github.com/NixOS/nixpkgs/pull/383926

Release Notes

https://github.com/openbsd/ports/commit/584d2c49addce9ca0ae67882cc16969104d7f82d

Patch

KEV Catalog EPSS Scores Vendors All CVEs