CVE-2026-47242
MEDIUMNet::IMAP: Command Injection via ID command argument
Title source: cnaDescription
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences. While Net::IMAP#enable does process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The #to_s value is sent verbatim. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. This vulnerability is fixed in 0.6.5 and 0.5.15.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/ruby/net-imap/security/advisories/GHSA-46q3-7gv7-qmgg
Scores
CVSS v4
5.8
EPSS
0.0013
EPSS Percentile
3.1%
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-77
CWE-93
Status
published
Products (4)
ruby/net-imap
< 0.5.15
ruby/net-imap
>= 0.6.0, < 0.6.4.1
rubygems/net-imap
0 - 0.5.15RubyGems
rubygems/net-imap
0.6.0 - 0.6.4.1RubyGems
Published
Jun 22, 2026
Tracked Since
Jun 23, 2026