CVE-2026-42258
published 2026-05-09CVE-2026-42258: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to…
PriorityP433medium5.3CVSS 3.1
AVLACHPRLUINSUCNIHAL
EPSS
0.69%
47.9th percentile
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | system-rhel7 | — | — |
| 3scale-amp2 | system-rhel8 | — | — |
| 3scale-amp2 | system-rhel9 | — | — |
| 3scale-amp2 | zync-rhel8 | — | — |
| 3scale-amp2 | zync-rhel9 | — | — |
| 3scale-amp21 | system | — | — |
| 3scale-amp21 | zync | — | — |
| 3scale-amp22 | system | — | — |
| 3scale-amp22 | zync | — | — |
| debian | ruby3.3 | — | — |
| devspaces | code-rhel9 | — | — |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| ruby-lang | net | < 0.4.24 | 0.4.24 |
| ruby-lang | net | >= 0.5.0 < 0.5.14 | 0.5.14 |
| ruby-lang | net | >= 0.6.0 < 0.6.4 | 0.6.4 |
| ruby-lang | ruby | — | — |
| ruby | net-imap | < 0.4.24 | 0.4.24 |
| ruby | net-imap | — | — |
| ruby | net-imap | — | — |
| ruby | net-imap | >= 0 < 0.4.24 | 0.4.24 |
| ruby | net-imap | >= 0.5.0 < 0.5.14 | 0.5.14 |
| ruby | net-imap | >= 0.6.0 < 0.6.4 | 0.6.4 |
| ruby_2.5 | ruby | — | — |
| ruby_3.3 | ruby | — | — |
| ruby_4.0 | ruby | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →IMAP Command Injection via CRLF sequences embedded in Symbol arguments passed to Net::IMAP commands — monitor IMAP traffic for unexpected CRLF (\r\n) sequences injected within command arguments ↗
- →Exploitation involves passing specially crafted symbol arguments to IMAP commands to inject arbitrary IMAP commands — inspect Ruby application logs for anomalous IMAP command sequences originating from Net::IMAP client calls ↗
- ·Vulnerability is limited to IMAP command injection only — arbitrary code execution is NOT possible; impact is confined to email systems (IMAP server/client integrity and information disclosure) ↗
- ·Fixed versions are net-imap 0.4.24, 0.5.14, and 0.6.4 — any Ruby application using Net::IMAP prior to these versions is vulnerable regardless of platform ↗
- ·No mitigation is currently available that meets Red Hat Product Security criteria — patching to a fixed version is the only remediation path ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
nvdv4.05.8MEDIUMCVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ruby net-imap up to 0.4.23/0.5.13/0.6.3 Net::IMAP command injection (GHSA-75xq-5h9v-w6px)
vuldb·2026-05-18·CVSS 5.8
CVE-2026-42258 [MEDIUM] ruby net-imap up to 0.4.23/0.5.13/0.6.3 Net::IMAP command injection (GHSA-75xq-5h9v-w6px)
A vulnerability classified as critical has been found in ruby net-imap up to 0.4.23/0.5.13/0.6.3. Affected by this issue is the function Net::IMAP. This manipulation causes command injection.
This vulnerability appears as CVE-2026-42258. The attack requires local access. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
net-imap vulnerable to command Injection via unvalidated Symbol inputs
ghsa·2026-05-04
CVE-2026-42258 [MEDIUM] CWE-77 net-imap vulnerable to command Injection via unvalidated Symbol inputs
net-imap vulnerable to command Injection via unvalidated Symbol inputs
### Summary
Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands.
### Details
Symbol arguments represent IMAP "system flags", which are formatted as "atoms" (with no quoting) with a `"\"` prefix. Vulnerable versions of Net::IMAP sends the symbol name directly to the socket, with no validation.
Because the Symbol input is unvalidated, it could contain invalid `flag` characters, including `SP` and `CRLF`, which could be used to finish the current command and inject new commands.
Although IMAP `flag` arguments are only valid input for a few IMAP commands, most Net::IMAP commands use generic argument handling, and will allow Symbol (`flag
Red Hat
ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments
vendor_redhat·2026-05-09·CVSS 9.8
CVE-2026-42258 [CRITICAL] CWE-93 ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments
ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
A flaw was found in Net::IMAP, a Ruby library that provides Internet Message Access Protocol (IMAP) client functionality. This vulnerability allows a remote attacker to inject arbitrary IMAP commands. This is achieved by passing specially crafted symbol arguments to IMAP commands. Successful exploitation could lead to unauthorized actions on the IMAP server or client, potentially r
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42258 ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments [fedora-all]
bugzilla·2026-06-09·CVSS 9.8
CVE-2026-42258 [CRITICAL] CVE-2026-42258 ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments [fedora-all]
CVE-2026-42258 ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42258 ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments
bugzilla·2026-05-09·CVSS 9.8
CVE-2026-42258 [CRITICAL] CVE-2026-42258 ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments
CVE-2026-42258 ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
https://github.com/ruby/net-imap/releases/tag/v0.4.24https://github.com/ruby/net-imap/releases/tag/v0.5.14https://github.com/ruby/net-imap/releases/tag/v0.6.4https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6pxhttps://access.redhat.com/errata/RHSA-2026:33462https://access.redhat.com/security/cve/CVE-2026-42258https://bugzilla.redhat.com/show_bug.cgi?id=2468498https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42258.json
2026-05-09
Published