Net::IMAP: Denial of Service via incomplete raw argument validation

Summary Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will...

CVE-2026-42258

A flaw was found in Net::IMAP, a Ruby library that provides Internet Message Access Protocol IMAP client functionality. This vulnerability allows a remote attacker to inject arbitrary IMAP commands. This is achieved by passing specially crafted symbol arguments to IMAP commands. Successful...

CVE-2026-42258

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched ...

CVE-2026-42258

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched ...

UBUNTU-CVE-2026-42258

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched ...

CLSA-2026-1778238067 dovecot: Fix of CVE-2026-27857

CVE-2026-27857: fix excessive memory usage from many '' in IMAP commands...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via unvalidated flag arguments in IMAP commands. A user can execute arbitrary IMAP commands by injecting CRLF sequences through crafted Symbol inputs. Remediation Upgrade net-imap to version 0.4.24, 0.5.14, 0.6.4 or highe...

PT-2026-37049

Name of the Vulnerable Software and Affected Versions Net::IMAP versions prior to 0.4.24 Net::IMAP versions prior to 0.5.14 Net::IMAP versions prior to 0.6.4 Description Several commands in the Net::IMAP Ruby library accept raw string arguments that are sent to the server without validation or...

CLSA-2026-1776091275 python3.9: Fix of CVE-2025-15366

CVE-2025-15366: reject control characters in IMAP commands...

Arbitrary Argument Injection

Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized arguments in the SEARCH process. An attacker can manipulate IMAP commands or bypass cross-site request forgery protections by supplying crafted input to the mail search functionality...

CLSA-2026-1775058454 python: Fix of CVE-2025-15366

CVE-2025-15366: reject control characters in IMAP commands to prevent command injection...

CLSA-2026-1775058202 python: Fix of CVE-2025-15366

CVE-2025-15366: reject control characters in IMAP commands to prevent command injection...

cpython: IMAP command injection in user-controlled commands

A flaw was found in the imaplib module in the Python standard library. The imaplib module does not reject control characters, such as newlines, in user-controlled input passed to IMAP commands. This issue allows an attacker to inject additional commands to be executed in the IMAP server...

CLSA-2026-1774614065 python3: Fix of CVE-2025-15366

CVE-2025-15366: reject control characters in IMAP commands...

CLSA-2026-1774525255 python3.11: Fix of 4 CVEs

CVE-2026-0865: reject control characters in wsgiref.headers.Headers - CVE-2025-15366: reject control characters in IMAP commands - CVE-2025-15367: reject control characters in POP3 commands - CVE-2026-1299: verify headers are sound in email BytesGenerator...

CLSA-2026-1774518355 python3.11: Fix of CVE-2025-15366

CVE-2025-15366: reject control characters in IMAP commands...

cpython: IMAP command injection in user-controlled commands

A flaw was found in the imaplib module in the Python standard library. The imaplib module does not reject control characters, such as newlines, in user-controlled input passed to IMAP commands. This issue allows an attacker to inject additional commands to be executed in the IMAP server...

CLSA-2026-1774022191 python3.9: Fix of 4 CVEs

CVE-2026-0865: reject control characters in wsgiref headers - CVE-2025-15366: reject control characters in IMAP commands - CVE-2025-15367: reject control characters in POP3 commands - CVE-2026-1299: verify headers are sound in email BytesGenerator...

USN-8018-3 python2.7 vulnerabilities

USN-8018-1 fixed CVE-2025-12084, CVE-2025-15282, CVE-2026-0672, CVE-2026-0865 for python3. This update provides the corresponding updates for python2.7. Original advisory details: Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this iss...

CLSA-2026-1773222843 python3: Fix of 2 CVEs

CVE-2025-15366: reject control characters in IMAP commands - CVE-2026-1299: email: verify headers are sound in BytesGenerator...