These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-42258 is a medium-severity injection issue in Ruby’s Net::IMAP client. According to the NVD record and GitHub security advisory references, symbol arguments passed to IMAP commands could be abused for CRLF injection / IMAP command injection. The issue was publicly disclosed on 2026-05-09 and is patched in Net::IMAP 0.4.24, 0.5.14, and 0.6.4.
CVE-2026-42257 is a command-injection issue in Ruby's Net::IMAP client library. Several Net::IMAP commands accepted raw string arguments that were sent to the IMAP server without validation or escaping. If an application passed user-controlled input into those arguments, embedded CRLF sequences could let an attacker inject additional IMAP commands. The issue was patched in Net::IMAP versions 0.4.24, 0.5.1 [truncated]
CVE-2026-42256 is a client-side denial-of-service issue in Ruby's Net::IMAP library. When a connection authenticates with SCRAM-SHA1 or SCRAM-SHA256, a hostile IMAP server can send an excessively large iteration count that causes the client process to burn CPU during authentication. The issue is fixed in Net::IMAP 0.4.24, 0.5.14, and 0.6.4.
CVE-2026-42246 is a high-severity flaw in Ruby's Net::IMAP client where a man-in-the-middle attacker can make Net::IMAP#starttls appear to succeed without actually negotiating TLS. If your application relies on IMAP STARTTLS to protect credentials or mail traffic, treat this as an urgent upgrade issue and verify that the connection is truly encrypted after the upgrade attempt.
CVE-2026-42245 is a denial-of-service issue in Ruby’s Net::IMAP client library. Before versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader can take quadratic time when processing large responses with many string literals. An attacker controlling or emulating an IMAP server can use crafted responses to exhaust client CPU and disrupt service. The issue was publicly recorded on 2026-05-09 and is fi [truncated]