CVE-2026-47241
published 2026-06-22CVE-2026-47241: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw…
PriorityP417low2.1CVSS 4.0
AVNACLATPPRLUIPVCNVINVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.24%
14.8th percentile
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby | net-imap | < 0.5.15 | 0.5.15 |
| ruby | net-imap | — | — |
| ruby | net-imap | >= 0 < 0.5.15 | 0.5.15 |
| ruby | net-imap | >= 0.6.0 < 0.6.4.1 | 0.6.4.1 |
CVSS provenance
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ruby net-imap up to 0.5.14 Net::IMAP trailing special elements (GHSA-c4fp-cxrr-mj66 / Nessus ID 323668)
vuldb·2026-06-30·CVSS 2.1
CVE-2026-47241 [LOW] ruby net-imap up to 0.5.14 Net::IMAP trailing special elements (GHSA-c4fp-cxrr-mj66 / Nessus ID 323668)
A vulnerability classified as problematic has been found in ruby net-imap up to 0.5.14. Affected by this issue is the function Net::IMAP. The manipulation leads to improper neutralization of trailing special elements.
This vulnerability is documented as CVE-2026-47241. The attack can be initiated remotely. There is not any exploit available.
It is recommended to upgrade the affected component.
GHSA
Net::IMAP: Denial of Service via incomplete raw argument validation
ghsa·2026-06-09·CVSS 9.8
CVE-2026-47241 [CRITICAL] CWE-162 Net::IMAP: Denial of Service via incomplete raw argument validation
Net::IMAP: Denial of Service via incomplete raw argument validation
### Summary
Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed.
### Details
`Net::IMAP::RawData` was hardened in v0.6.4, v0.5.14, and v0.4.24 to reject string arguments that would smuggle an invalid literal-continuation marker onto the wire (CVE-2026-42257, GHSA-hm49-wcqc-g2xg). But the trai
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-22
Published