CVE-2026-43861

LOW

Published May 4, 2026 Modified May 5, 2026 CWE-158

Description

mutt before 2.3.2 does not check for '\0' in url_pct_decode.

CVSS v3.1 Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS — Exploit Prediction

0.0004

Probability of exploitation

0.12%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-158 CWE-158

References

Other References

https://github.com/muttmua/mutt/commit/12f54fe3b61f761c096fe95e95d5e3072af00ed2

Frequently Asked Questions

What is CVE-2026-43861? +

mutt before 2.3.2 does not check for '\0' in url_pct_decode. It has a CVSS v3.1 base score of 3.7 (LOW).

How severe is CVE-2026-43861? +

CVE-2026-43861 has a CVSS v3.1 score of 3.7 out of 10, rated LOW. This is a low-severity vulnerability with limited impact. The EPSS score is 0.0004, placing it in the 0th percentile for exploitation probability.

How do I check if I'm vulnerable to CVE-2026-43861? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-9648

A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By …

CVE-2025-47812 10.0

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary …

CVE-2025-14388 9.8

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up …

CVE-2025-55113 9.0

If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support …

CVE-2025-66263 7.5

Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, …

CVE-2025-1936 7.3

jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when …

Quick Facts

CVSS Score: 3.7
Severity: LOW
EPSS: 0.0004
Published: May 4, 2026

Scan for this vulnerability

Check if your website or infrastructure is affected by CVE-2026-43861.

Website Scan Port Scan

Browse CVEs

Critical High CISA KEV ! Most likely exploited →