CVE-2026-42258 MEDIUM

CVE-2026-42258: net-imap: Command Injection via unvalidated Symbol inputs

Vendor Ruby
Product net-imap
Weakness CWE-77
Published May 9, 2026
Last update June 30, 2026

CVSS base score

5.8/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Key dates

02Disclosure timeline

May 9, 2026 CVE published
June 30, 2026 Record updated