CVE-2026-42246
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6
CVSS
7.4
High
EPSS
0.3%
p25
KEV
—
Exploit Today
7
0-100
Published: May 9, 2026 · Last modified: Jul 15, 2026 · CWE-392 · CWE-393 · CWE-636
0.3%EPSS · 30 days0.3%
2026-06-302026-07-16
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
- github.comhttps://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618
- github.comhttps://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e
- github.comhttps://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c
- github.comhttps://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da
- github.comhttps://github.com/ruby/net-imap/releases/tag/v0.3.10
- github.comhttps://github.com/ruby/net-imap/releases/tag/v0.4.24
- github.comhttps://github.com/ruby/net-imap/releases/tag/v0.5.14
- github.comhttps://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33462
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33512
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33514
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33515
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33540
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33551
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33552
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33565
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33576
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33577
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33630
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33721
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-256397.5 HIG82.9%
——25Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.18hCVE-2026-59467.5 HIG76.2%
——23Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.2dCVE-2025-59878.1 HIG70.2%
——21A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.17dCVE-2026-46947.5 HIG51.6%
——15Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.2dCVE-2026-46908.6 HIG51.6%
——15Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.2dCVE-2026-46867.5 HIG49.1%
——15Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.2d