cbcvebase.
CVE-2026-42257
published 2026-05-09

CVE-2026-42257: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.43%
34.4th percentile
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
3scale-amp2system-rhel7
3scale-amp2system-rhel8
3scale-amp2system-rhel9
3scale-amp2zync-rhel8
3scale-amp2zync-rhel9
3scale-amp21system
3scale-amp21zync
3scale-amp22system
3scale-amp22zync
debianruby3.3
ruby-langnet< 0.4.240.4.24
ruby-langnet>= 0.5.0 < 0.5.140.5.14
ruby-langnet>= 0.6.0 < 0.6.40.6.4
ruby-langruby
rubynet-imap< 0.4.240.4.24
rubynet-imap
rubynet-imap
rubynet-imap>= 0 < 0.5.150.5.15
rubynet-imap>= 0 < 0.4.240.4.24
rubynet-imap>= 0.5.0 < 0.5.140.5.14
rubynet-imap>= 0.6.0 < 0.6.4.10.6.4.1
rubynet-imap>= 0.6.0 < 0.6.40.6.4
ruby_3.3ruby
ruby_4.0ruby
ubunturuby2.3

Detection & IOCsextracted from sources · hover to see the quote

  • Detect CRLF sequences (\r\n) injected into IMAP command arguments sent from a Net::IMAP client to an IMAP server, which may indicate attempted IMAP command injection
  • Monitor IMAP traffic for unexpected command sequences or protocol violations following a single client-initiated command, which may indicate injected commands via CRLF
  • Flag Ruby applications using Net::IMAP versions prior to 0.4.24, 0.5.14, or 0.6.4 that pass user-controlled input directly to IMAP command methods without sanitization
  • ·Vulnerable versions of the net-imap gem are 0.4.x prior to 0.4.24, 0.5.x prior to 0.5.14, and 0.6.x prior to 0.6.4; patched versions are 0.4.24, 0.5.14, and 0.6.4
  • ·Multiple Red Hat packages (3scale, RHEL 8/9/10 ruby packages) have fixes deferred or are under investigation, meaning vulnerable versions may remain deployed in those environments for an extended period

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.8MEDIUMCVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
vendor_ubuntu7.4HIGH
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.