PatchSiren

ruby CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW ruby CVE published 2026-06-22

CVE-2026-47241

CVE-2026-47241 is a low-severity vulnerability in Net::IMAP, a Ruby implementation of the Internet Message Access Protocol (IMAP) client. The vulnerability, due to insufficient validation of user-controlled input, allows an attacker to inject malicious commands. Specifically, several Net::IMAP commands accept raw string arguments that are only validated to prevent CRLF injection and then sent verbatim. Th [truncated]

MEDIUM ruby CVE published 2026-05-09

CVE-2026-42258

CVE-2026-42258 is a medium-severity injection issue in Ruby’s Net::IMAP client. According to the NVD record and GitHub security advisory references, symbol arguments passed to IMAP commands could be abused for CRLF injection / IMAP command injection. The issue was publicly disclosed on 2026-05-09 and is patched in Net::IMAP 0.4.24, 0.5.14, and 0.6.4.

MEDIUM ruby CVE published 2026-05-09

CVE-2026-42257

CVE-2026-42257 is a command-injection issue in Ruby's Net::IMAP client library. Several Net::IMAP commands accepted raw string arguments that were sent to the IMAP server without validation or escaping. If an application passed user-controlled input into those arguments, embedded CRLF sequences could let an attacker inject additional IMAP commands. The issue was patched in Net::IMAP versions 0.4.24, 0.5.1 [truncated]

MEDIUM ruby CVE published 2026-05-09

CVE-2026-42256

CVE-2026-42256 is a client-side denial-of-service issue in Ruby's Net::IMAP library. When a connection authenticates with SCRAM-SHA1 or SCRAM-SHA256, a hostile IMAP server can send an excessively large iteration count that causes the client process to burn CPU during authentication. The issue is fixed in Net::IMAP 0.4.24, 0.5.14, and 0.6.4.

HIGH ruby CVE published 2026-05-09

CVE-2026-42246

CVE-2026-42246 is a high-severity flaw in Ruby's Net::IMAP client where a man-in-the-middle attacker can make Net::IMAP#starttls appear to succeed without actually negotiating TLS. If your application relies on IMAP STARTTLS to protect credentials or mail traffic, treat this as an urgent upgrade issue and verify that the connection is truly encrypted after the upgrade attempt.

LOW ruby CVE published 2026-05-09

CVE-2026-42245

CVE-2026-42245 is a denial-of-service issue in Ruby’s Net::IMAP client library. Before versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader can take quadratic time when processing large responses with many string literals. An attacker controlling or emulating an IMAP server can use crafted responses to exhaust client CPU and disrupt service. The issue was publicly recorded on 2026-05-09 and is fi [truncated]

HIGH ruby CVE published 2026-04-24

CVE-2026-41316

CVE-2026-41316 is a high-severity vulnerability in the Ruby ERB templating system. The vulnerability was introduced in Ruby 2.7.0 and affects ERB versions prior to 2.2.0. An attacker can exploit this vulnerability by triggering Marshal.load on untrusted data in a Ruby application that has ERB loaded, allowing for code execution via the ERB#def_module method. This vulnerability has a CVSS score of 8.1 and [truncated]

LOW ruby CVE published 2026-04-16

CVE-2026-27820

CVE-2026-27820 is a low-severity memory corruption issue in Ruby’s zlib interface. The flaw is in Zlib::GzipReader: zstream_buffer_ungets prepends caller-provided bytes ahead of already-produced output, but it does not always ensure the underlying Ruby string has enough capacity before memmove shifts the existing data. The CVE was published on 2026-04-16 and later modified on 2026-05-21. Fixed releases ar [truncated]