Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uidsearch; searchkeys for #sort, #thread, #uidsort, and #uidthread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47240.json",
"cwe_ids": [
"CWE-77",
"CWE-93"
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "0.6.0"
},
{
"fixed": "0.6.4.1"
},
{
"introduced": "0"
},
{
"fixed": "0.5.15"
}
],
"source": "AFFECTED_FIELD"
}