CVE-2026-2469: Php Imap Unescaped Id Injection
Unescaped variables are concatenated directly into a quoted string within a loop. If this string is used in a text-based protocol (like IMAP, SMTP, LDAP), it can lead to command injection where attackers can inject quotes or newlines to break out of the string boundary. Ensure you escape variables appropriately before concatenation.
greprules fetch cve-2026-2469-php-imap-unescaped-id-injection --engine opengrepDescription
Unescaped variables are concatenated directly into a quoted string within a loop. If this string is used in a text-based protocol (like IMAP, SMTP, LDAP), it can lead to command injection where attackers can inject quotes or newlines to break out of the string boundary. Ensure you escape variables appropriately before concatenation.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.