CVE-2025-8264CRITICAL 9.0EPSS p29.4%

CVE-2025-8264CVE-2025-8264

Description

Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and potentially modify or delete sensitive data from a linked third-party database. **Note:** This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap');

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.4% · 2026-06-19T12:03:05Z
Published2025-07-29
Last modified2026-04-29

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/Z-Hub/Z-Push/blob/af25a2169a50d6e05a5916d1e8b2b6cd17011c98/src/backend/imap/user_identity.php%23L211C9-L214C25
  2. https://github.com/Z-Hub/Z-Push/pull/161
  3. https://github.com/Z-Hub/Z-Push/pull/161/commits/f981d515a35ac4c303959af21dce880a5db02786
  4. https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180
  5. https://xbow.com/blog/xbow-zpush-sqli/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-25064
CVE
CVE-2025-22957
CVE
CVE-2025-31561
CVE
CVE-2026-2225
CVE
CVE-2025-52829
CVE
CVE-2025-28982
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.