A vulnerability labeled as problematic has been found in mutt up to 2.3.1 . Affected by this issue is the function url_pct_decode . Such manipulation leads to improper neutralization of null byte or nul character. This vulnerability is traded as CVE-2026-43861 . The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.