CVE-2026-42257

UNKNOWN 0.0

net-imap: Command Injection via "raw" arguments to multiple commands

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

CWE	CWE-93 CWE-77
Vendor	ruby
Product	net-imap
Ecosystems	Ruby
Industries	Technology
Published	May 9, 2026

Stay Ahead of the Next One

Get instant alerts for ruby net-imap

Be the first to know when new unknown vulnerabilities affecting ruby net-imap are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ruby / net-imap

< 0.4.24 >= 0.5.0, < 0.5.14 >= 0.6.0, < 0.6.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg github.com: https://github.com/ruby/net-imap/releases/tag/v0.4.24 github.com: https://github.com/ruby/net-imap/releases/tag/v0.5.14 github.com: https://github.com/ruby/net-imap/releases/tag/v0.6.4