CVE-2026-42258
MediumCVSS 5.3Exploitation Probability (EPSS)
Elevated risk53th percentile - higher than 53% of all known CVEs
Summary
A vulnerability in the Net::IMAP library for Ruby allows IMAP command injection via symbol arguments passed to commands. The issue is fixed in versions 0.4.24, 0.5.14, and 0.6.4.
Risk Assessment
An attacker can exploit CRLF Injection to execute unauthorized IMAP commands, potentially compromising the confidentiality and integrity of email data.
Recommendation
Immediately update the Net::IMAP library to version 0.4.24, 0.5.14, or 0.6.4 depending on the branch in use.
Original NVD description (English source)
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

