CVE Catalog

CVE-2026-42258

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.81%

53th percentile - higher than 53% of all known CVEs

Summary

A vulnerability in the Net::IMAP library for Ruby allows IMAP command injection via symbol arguments passed to commands. The issue is fixed in versions 0.4.24, 0.5.14, and 0.6.4.

Risk Assessment

An attacker can exploit CRLF Injection to execute unauthorized IMAP commands, potentially compromising the confidentiality and integrity of email data.

Recommendation

Immediately update the Net::IMAP library to version 0.4.24, 0.5.14, or 0.6.4 depending on the branch in use.

Original NVD description (English source)

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS