CVE-2026-47242: Net::IMAP: Command Injection via ID command argument

June 9, 2026

Two Net::IMAP commands, #id and #enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands.

Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon.

References

github.com/advisories/GHSA-46q3-7gv7-qmgg
github.com/ruby/net-imap/releases/tag/v0.6.4.1
github.com/ruby/net-imap/security/advisories/GHSA-46q3-7gv7-qmgg
nvd.nist.gov/vuln/detail/CVE-2026-47242

Code Behaviors & Features

Detect and mitigate CVE-2026-47242 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →