Command Injection in Net::IMAP for Ruby by Ruby
CVE-2026-47242

5.8MEDIUM

Key Information:

Vendor: Ruby
Status: Net-imap
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-47242?

The Net::IMAP library in Ruby has a command injection vulnerability that arises when the #id method is called with a hash argument. Although the ID field value strings are correctly quoted to escape special characters, the absence of validation against CRLF sequences creates an opportunity for attackers. Furthermore, the #enable method's handling of its arguments does not ensure they are valid atoms, allowing for potential injection of malicious IMAP commands. This security issue is addressed in versions 0.6.5 and 0.5.15.

Affected Version(s)

net-imap >= 0.6.0, < 0.6.4.1 < 0.6.0, 0.6.4.1

net-imap < 0.5.15 < 0.5.15

References

https://github.com/ruby/net-imap/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 18, 2026

CVE-2026-47242 Data

JSON