CVE-2026-2604 — External Control of File Name or Path in Evolution-data-server

CWE-73 — External Control of File Name or Path4 documents4 sources

Severity

5.3MEDIUM

No vector

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Evolution-data-server

Timeline

PublishedFeb 23

Description

Title: Evolution Data Server vulnerability Summary: Evolution Data Server could be made to remove files. It was discovered that Evolution Data Server incorrectly handled removing local cache files. An attacker could possibly use this issue to cause Evolution Data Server to remove arbitrary files. Instructions: After a standard system update you need to restart your session to make all the necessary changes.

Affected Packages1 packages

▶debiandebian/evolution-data-server< evolution-data-server 3.38.3-1+deb11u3 (bullseye)

📋Vendor Advisories

Ubuntu

Evolution Data Server vulnerability↗2026-02-23

▶

Red Hat

evolution-data-server: Evolution Data Server: Arbitrary file deletion via inconsistent URI handling↗2026-02-16

▶

Debian

CVE-2026-2604: evolution-data-server↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2604 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶