CVE-2026-42258: net-imap vulnerable to command Injection via unvalidated Symbol inputs
Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands.
References
- github.com/advisories/GHSA-75xq-5h9v-w6px
- github.com/ruby/net-imap
- github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b
- github.com/ruby/net-imap/commit/9db3e9d60bfb8f3735ea95015bf8a700f4af9cbb
- github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71
- github.com/ruby/net-imap/releases/tag/v0.4.24
- github.com/ruby/net-imap/releases/tag/v0.5.14
- github.com/ruby/net-imap/releases/tag/v0.6.4
- github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px
- nvd.nist.gov/vuln/detail/CVE-2026-42258
Code Behaviors & Features
Detect and mitigate CVE-2026-42258 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →