CVE-2025-26794

high-risk

Published 2025-02-21

Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)

Do I need to act?

74.7% chance of exploitation in next 30 days

EPSS score — higher than 25% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Exim

Affected Vendors

Exim

References (11)

Issue Tracking https://bugzilla.suse.com/show_bug.cgi?id=1237424

Patch https://code.exim.org/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305

Product https://exim.org

https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txt

Vendor Advisory https://github.com/Exim/exim/wiki/EximSecurity

Release Notes https://github.com/NixOS/nixpkgs/pull/383926

Patch https://github.com/openbsd/ports/commit/584d2c49addce9ca0ae67882cc16969104d7f82d

Vendor Advisory https://www.exim.org/static/doc/security/CVE-2025-26794.txt

Mailing List http://www.openwall.com/lists/oss-security/2025/02/19/1

Mailing List http://www.openwall.com/lists/oss-security/2025/02/21/4

Mailing List http://www.openwall.com/lists/oss-security/2025/02/21/5

/ 100

high-risk

Severity 26/34 · High

Exploitability 19/34 · Moderate

Exposure 5/34 · Minimal