net-imap vulnerable to command Injection via "raw" arguments to multiple commands — CVE-2026-42257
GitHub · GitHub · CVE-2026-42257
ID
CVE-2026-42257
CVE-2026-42257
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.8
5.8
EPSS
0.00021
0.00021
Summary
### Summary Several `Net::IMAP` commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain `CRLF` sequences, which an attacker can use to inject arbitrary IMAP commands. ### Details `Net::IMAP`'s generic argument handling, used by most command arguments, interprets string arguments as an IMAP…
Product
rubygems: net-imap
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.