CVE-2026-42865

Sažetak

Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.

Reference

https://github.com/elie222/inbox-zero/commit/02341923b5460ce9630c4681a9b6461ba466688a
https://github.com/elie222/inbox-zero/security/advisories/GHSA-f3gp-v7cj-2569

CVSS

Base:	4.3
Impact:	1.4
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Zadnje važnije ažuriranje

21-05-2026 - 18:03

Objavljeno

11-05-2026 - 18:16