CVE-2026-42258CRITICAL 9.8EPSS p56.2%

CVE-2026-42258CVE-2026-42258

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.94% probability of exploitation · percentile 56.2% · 2026-06-19T12:03:05Z
Published2026-05-09
Last modified2026-05-18

Underlying weaknesses· 2

CWE-77CWE-93

References

  1. https://github.com/ruby/net-imap/releases/tag/v0.4.24
  2. https://github.com/ruby/net-imap/releases/tag/v0.5.14
  3. https://github.com/ruby/net-imap/releases/tag/v0.6.4
  4. https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live
WeaknessImproper Neutralization of CRLF Sequences ('CRLF Injection')cwe-930%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42257
CVE
Roundcube Webmail Remote Code Execution Vulnerability
CVE
CVE-2025-26794
CVE
CVE-2025-8264
CVE
CVE-2026-48842
CVE
CVE-2026-42507
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.