Home / Vulnerability Intelligence / CVE-2026-4873

CVE-2026-4873 - Vulnerability Analysis

MediumCVSS: 5.9

Last Updated: May 14, 2026

Mail Client - TLS Bypass

Published: May 13, 2026Updated: May 14, 2026PoC AvailableRemote Exploitable

Overview

A mail client using IMAP, SMTP, or POP3 with connection pooling incorrectly reuses unencrypted connections for TLS-required requests, letting attackers intercept or manipulate data, exploit requires initial unencrypted connection.

Severity & Score

Severity: Medium

CVSS Score: 5.9

Impact

Attackers can intercept or manipulate sensitive data by bypassing TLS encryption, risking data confidentiality and integrity.

Mitigation

Update to the latest version that enforces TLS on all connections or disable connection reuse for TLS-required sessions.

References

https://curl.se/docs/CVE-2026-4873.json
https://hackerone.com/reports/3621851
http://www.openwall.com/lists/oss-security/2026/04/29/7
https://curl.se/docs/CVE-2026-4873.html

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-4873
Severity: Medium
CVSS Score: 5.9
Type: misconfiguration
Status: confirmed

CWE

CWE-295
CWE-319

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N