CVE-2026-42257

EUVD-2026-28926
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
ruby-langnet\
𝑥
< 0.4.24
ruby-langnet\
0.5.0 ≤
𝑥
< 0.5.14
ruby-langnet\
0.6.0 ≤
𝑥
< 0.6.4
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ruby3.4
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-bundled-gems
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-bundled-gems-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-debugsource
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-default-gems
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-devel
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-doc
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-libs
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-libs-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bigdecimal
Amazon Linux 2023
0:3.1.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bigdecimal-debuginfo
Amazon Linux 2023
0:3.1.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bundler
Amazon Linux 2023
0:2.6.9-27.amzn2023.0.6
fixed
ruby3.4-rubygem-io-console
Amazon Linux 2023
0:0.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-io-console-debuginfo
Amazon Linux 2023
0:0.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-irb
Amazon Linux 2023
0:1.14.3-27.amzn2023.0.6
fixed
ruby3.4-rubygem-json
Amazon Linux 2023
0:2.9.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-json-debuginfo
Amazon Linux 2023
0:2.9.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-minitest
Amazon Linux 2023
0:5.25.4-27.amzn2023.0.6
fixed
ruby3.4-rubygem-power_assert
Amazon Linux 2023
0:2.0.5-27.amzn2023.0.6
fixed
ruby3.4-rubygem-psych
Amazon Linux 2023
0:5.2.2-27.amzn2023.0.6
fixed
ruby3.4-rubygem-psych-debuginfo
Amazon Linux 2023
0:5.2.2-27.amzn2023.0.6
fixed
ruby3.4-rubygem-racc
Amazon Linux 2023
0:1.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-racc-debuginfo
Amazon Linux 2023
0:1.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rake
Amazon Linux 2023
0:13.2.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rbs
Amazon Linux 2023
0:3.8.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rbs-debuginfo
Amazon Linux 2023
0:3.8.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rdoc
Amazon Linux 2023
0:6.14.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rexml
Amazon Linux 2023
0:3.4.4-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rss
Amazon Linux 2023
0:0.3.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-test-unit
Amazon Linux 2023
0:3.6.7-27.amzn2023.0.6
fixed
ruby3.4-rubygem-typeprof
Amazon Linux 2023
0:0.30.1-27.amzn2023.0.6
fixed
ruby3.4-rubygems
Amazon Linux 2023
0:3.6.9-27.amzn2023.0.6
fixed
ruby3.4-rubygems-devel
Amazon Linux 2023
0:3.6.9-27.amzn2023.0.6
fixed
Common Weakness Enumeration
References
https://github.com/ruby/net-imap/releases/tag/v0.4.24
https://github.com/ruby/net-imap/releases/tag/v0.5.14
https://github.com/ruby/net-imap/releases/tag/v0.6.4
https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg