CVE-2026-47240
MediumCVSS 5.8Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
The Net::IMAP library in Ruby has a vulnerability that allows arbitrary IMAP command injection if the server does not support non-synchronizing literals. Versions prior to 0.6.5 and 0.5.15 are susceptible to an attack that may lead to unauthorized command execution.
Risk Assessment
Organizations using vulnerable versions may be exposed to CRLF injection attacks, potentially leading to unauthorized access to or manipulation of data.
Recommendation
It is recommended to update the Net::IMAP library to version 0.6.5 or 0.5.15 to mitigate this vulnerability.
Original NVD description (English source)
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uid_search; search_keys for #sort, #thread, #uid_sort, and #uid_thread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.

