CWE-393
AllowedReturn of Wrong Status Code
Abstraction: Base · Status: Draft
A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.
17 vulnerabilities reference this CWE, most recent first.
GHSA-4P37-9V73-JM8H
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix linked reg delta tracking when src_reg == dst_reg
Consider the case of rX += rX where src_reg and dst_reg are pointers to the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first modifies the dst_reg in-place, and later in the delta tracking, the subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the post-{add,sub} value instead of the original source.
This is problematic since it sets an incorrect delta, which sync_linked_regs() then propagates to linked registers, thus creating a verifier-vs-runtime mismatch. Fix it by just skipping this corner case.
{
"affected": [],
"aliases": [
"CVE-2026-53092"
],
"database_specific": {
"cwe_ids": [
"CWE-393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:23Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix linked reg delta tracking when src_reg == dst_reg\n\nConsider the case of rX += rX where src_reg and dst_reg are pointers to\nthe same bpf_reg_state in adjust_reg_min_max_vals(). The latter first\nmodifies the dst_reg in-place, and later in the delta tracking, the\nsubsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the\npost-{add,sub} value instead of the original source.\n\nThis is problematic since it sets an incorrect delta, which sync_linked_regs()\nthen propagates to linked registers, thus creating a verifier-vs-runtime\nmismatch. Fix it by just skipping this corner case.",
"id": "GHSA-4p37-9v73-jm8h",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-24T18:32:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53092"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53092"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492362"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d7f14173c0d5866c3cae759dee560ad1bed10d2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d88e8e4a3b52bd5b2ff3eceba4b29d1b5506d066"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53092.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7HQ7-5M7P-R2PP
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.
This issue was fixed in version 463.
{
"affected": [],
"aliases": [
"CVE-2026-9058"
],
"database_specific": {
"cwe_ids": [
"CWE-393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-25T14:16:27Z",
"severity": "CRITICAL"
},
"details": "Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, \"Positively verified\") even when the trust status of the signer\u0027s certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == \"nondetermined\"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.\n\nThis issue was fixed in version 463.",
"id": "GHSA-7hq7-5m7p-r2pp",
"modified": "2026-05-26T13:30:42Z",
"published": "2026-05-26T13:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9058"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/05/CVE-2026-9058"
},
{
"type": "WEB",
"url": "https://www.elektronicznypodpis.pl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8MFX-6CPC-CR47
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-26 21:32Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. In tsip_StoreMessage() the capacity check guarding the fixed message bag (MSGBAG_SIZE) sets an error code but fails to return, so execution falls through to an XMEMCPY that writes past the end of the buffer once the accumulated TLS 1.3 handshake transcript exceeds MSGBAG_SIZE (8 KB), corrupting adjacent heap state and potentially causing a remote denial of service crash. The bag is sized to hold a normal handshake, so this is reached only by an unusually large but valid certificate chain, or by a malicious or man-in-the-middle server sending an oversized handshake message to a client that does not strictly verify the chain. This only affects builds using the Renesas TSIP TLS port (WOLFSSL_RENESAS_TSIP_TLS) as a TLS 1.3 client on Renesas MCUs with TSIP hardware enabled, and is rated High within those builds. All other configurations are unaffected.
{
"affected": [],
"aliases": [
"CVE-2026-55958"
],
"database_specific": {
"cwe_ids": [
"CWE-393",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T20:17:16Z",
"severity": "HIGH"
},
"details": "Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. In tsip_StoreMessage() the capacity check guarding the fixed message bag (MSGBAG_SIZE) sets an error code but fails to return, so execution falls through to an XMEMCPY that writes past the end of the buffer once the accumulated TLS 1.3 handshake transcript exceeds MSGBAG_SIZE (8 KB), corrupting adjacent heap state and potentially causing a remote denial of service crash. The bag is sized to hold a normal handshake, so this is reached only by an unusually large but valid certificate chain, or by a malicious or man-in-the-middle server sending an oversized handshake message to a client that does not strictly verify the chain. This only affects builds using the Renesas TSIP TLS port (WOLFSSL_RENESAS_TSIP_TLS) as a TLS 1.3 client on Renesas MCUs with TSIP hardware enabled, and is rated High within those builds. All other configurations are unaffected.",
"id": "GHSA-8mfx-6cpc-cr47",
"modified": "2026-06-26T21:32:11Z",
"published": "2026-06-25T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55958"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/10705"
},
{
"type": "WEB",
"url": "https://www.wolfssl.com/docs/security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9436-3GMP-4F53
Vulnerability from github – Published: 2023-07-19 22:11 – Updated: 2023-07-19 22:11Summary
The fix for SSTI using |map, |filter and |reduce twigs implemented in the commit 71bbed1 introduces bypass of the denylist due to incorrect return value from isDangerousFunction(), which allows to execute the payload prepending double backslash (\\)
Details
The isDangerousFunction() check in version 1.7.42 and onwards retuns false value instead of true when the \ symbol is found in the $name.
...
if (strpos($name, "\\") !== false) {
return false;
}
if (in_array($name, $commandExecutionFunctions)) {
return true;
}
...
Based on the code where the function is used, it is expected that any dangerous condition would return true
/**
* @param Environment $env
* @param array $array
* @param callable|string $arrow
* @return array|CallbackFilterIterator
* @throws RuntimeError
*/
function mapFunc(Environment $env, $array, $arrow)
{
if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
}
when |map('\system') is used in the malicious payload, the single backslash is dropped prior to reaching strpos($name, '\\') check, thus $name variable already has no backslash, and the command is blacklisted because it reaches the if (in_array($name, $commandExecutionFunctions)) { validation step.
However if |map('\\system') is used (i.e. double backslash), then the strpos($name, "\\") !== false takes effect, and isDangerousFunction() returns false , in which case the RuntimeError is not generated, and blacklist is bypassed leading to code execution.
Exploit Conditions
This vulnerability can be exploited if the attacker has access to:
- an Administrator account, or
- a non-administrator, user account that has Admin panel access and Create/Update page permissions
Steps to reproduce
- Log in to Grav Admin using an administrator account.
- Navigate to
Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:- Login to Admin - Allowed
- Page Update - Allowed
- Log out of Grav Admin
- Login using the account created in step 2.
- Choose
Pages -> Home - Click the
Advancedtab and select the checkbox besideTwigto ensure that Twig processing is enabled for the modified webpage. - Under the
Contenttab, insert the following payload within the editor:{{ ['id'] | map('\\system') | join() }} - Click the
Previewbutton. Observe that the output of the id shell command is returned in the preview.
Mitigation
diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
index 2f121bbe3..7b267cd0f 100644
--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ abstract class Utils
}
if (strpos($name, "\\") !== false) {
- return false;
+ return true;
}
if (in_array($name, $commandExecutionFunctions)) {
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.42.1"
},
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.42.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37897"
],
"database_specific": {
"cwe_ids": [
"CWE-393",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-19T22:11:07Z",
"nvd_published_at": "2023-07-18T21:15:15Z",
"severity": "HIGH"
},
"details": "### Summary\nThe fix for SSTI using `|map`, `|filter` and `|reduce` twigs implemented in the commit [71bbed1](https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b) introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\\\`) \n\n### Details\nThe `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\\` symbol is found in the `$name`.\n\n```php\n...\n if (strpos($name, \"\\\\\") !== false) {\n return false;\n }\n\n if (in_array($name, $commandExecutionFunctions)) {\n return true;\n }\n...\n```\nBased on the code where the function is used, it is expected that any dangerous condition would return `true`\n```php\n /**\n * @param Environment $env\n * @param array $array\n * @param callable|string $arrow\n * @return array|CallbackFilterIterator\n * @throws RuntimeError\n */\n function mapFunc(Environment $env, $array, $arrow)\n {\n if (!$arrow instanceof \\Closure \u0026\u0026 !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n throw new RuntimeError(\u0027Twig |map(\"\u0027 . $arrow . \u0027\") is not allowed.\u0027);\n\t}\n```\nwhen `|map(\u0027\\system\u0027)` is used in the malicious payload, the single backslash is dropped prior to reaching `strpos($name, \u0027\\\\\u0027)` check, thus `$name` variable already has no backslash, and the command is blacklisted because it reaches the `if (in_array($name, $commandExecutionFunctions)) {` validation step. \n\nHowever if `|map(\u0027\\\\system\u0027)` is used (i.e. double backslash), then the `strpos($name, \"\\\\\") !== false` takes effect, and `isDangerousFunction()` returns `false` , in which case the `RuntimeError` is not generated, and blacklist is bypassed leading to code execution.\n\n### Exploit Conditions\nThis vulnerability can be exploited if the attacker has access to:\n\n1. an Administrator account, or\n2. a non-administrator, user account that has Admin panel access and Create/Update page permissions\n\n### Steps to reproduce\n\n1. Log in to Grav Admin using an administrator account.\n2. Navigate to `Accounts \u003e Add`, and ensure that the following permissions are assigned when creating a new low-privileged user: \n - Login to Admin - Allowed\n - Page Update - Allowed\n3. Log out of Grav Admin\n4. Login using the account created in step 2.\n5. Choose `Pages -\u003e Home`\n6. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.\n7. Under the `Content` tab, insert the following payload within the editor:\n```{{ [\u0027id\u0027] | map(\u0027\\\\system\u0027) | join() }}```\n8. Click the `Preview` button. Observe that the output of the id shell command is returned in the preview.\n\n### Mitigation\n\n```diff\ndiff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php\nindex 2f121bbe3..7b267cd0f 100644\n--- a/system/src/Grav/Common/Utils.php\n+++ b/system/src/Grav/Common/Utils.php\n@@ -2069,7 +2069,7 @@ abstract class Utils\n }\n \n if (strpos($name, \"\\\\\") !== false) {\n- return false;\n+ return true;\n }\n \n if (in_array($name, $commandExecutionFunctions)) {\n \n```\n\n",
"id": "GHSA-9436-3gmp-4f53",
"modified": "2023-07-19T22:11:07Z",
"published": "2023-07-19T22:11:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37897"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "grav Server-side Template Injection (SSTI) mitigation bypass"
}
GHSA-J885-4693-CQGH
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33Windows Hyper-V Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-49117"
],
"database_specific": {
"cwe_ids": [
"CWE-393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:04:38Z",
"severity": "HIGH"
},
"details": "Windows Hyper-V Remote Code Execution Vulnerability",
"id": "GHSA-j885-4693-cqgh",
"modified": "2024-12-12T03:33:05Z",
"published": "2024-12-12T03:33:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49117"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49117"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MFRM-W63C-3X58
Vulnerability from github – Published: 2025-04-08 03:32 – Updated: 2025-11-03 21:33In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
{
"affected": [],
"aliases": [
"CVE-2025-32414"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T03:15:15Z",
"severity": "MODERATE"
},
"details": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.",
"id": "GHSA-mfrm-w63c-3x58",
"modified": "2025-11-03T21:33:30Z",
"published": "2025-04-08T03:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32414"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VCGP-9326-PQCP
Vulnerability from github – Published: 2026-05-04 22:01 – Updated: 2026-05-14 20:48Summary
A man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.
Details
When using Net::IMAP#starttls to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged OK response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes "successfully" before the response handler is registered. This allows #starttls to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.
This allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks Net::IMAP#tls_verified?.
Impact
TLS bypass, leading to cleartext transmission of sensitive information.
Mitigation
- Upgrade to a patched version of net-imap that raises an exception whenever
#starttlsdoes not establish TLS. - Connect to an implicit TLS port, rather than use
STARTTLSwith a cleartext port. This is strongly recommended anyway: - RFC 8314: Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access
- NO STARTTLS: Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context
- Explicitly verify
Net::IMAP#tls_verified?istrue, before using the connection after#starttls.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.3"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "0.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.13"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "0.5.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.4.23"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "0.4.24"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.9"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42246"
],
"database_specific": {
"cwe_ids": [
"CWE-392",
"CWE-393",
"CWE-636",
"CWE-754",
"CWE-841"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T22:01:52Z",
"nvd_published_at": "2026-05-09T20:16:28Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA man-in-the-middle attacker can cause `Net::IMAP#starttls` to return \"successfully\", without starting TLS.\n\n### Details\n\nWhen using `Net::IMAP#starttls` to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged `OK` response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes \"successfully\" before the response handler is registered. This allows `#starttls` to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.\n\nThis allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks `Net::IMAP#tls_verified?`.\n\n### Impact\n\nTLS bypass, leading to cleartext transmission of sensitive information.\n\n### Mitigation\n\n* Upgrade to a patched version of net-imap that raises an exception whenever `#starttls` does not establish TLS.\n* Connect to an implicit TLS port, rather than use `STARTTLS` with a cleartext port.\n This is strongly recommended anyway:\n * [RFC 8314](https://www.rfc-editor.org/info/rfc8314): Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access\n * [NO STARTTLS](https://nostarttls.secvuln.info/): Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context\n* Explicitly verify `Net::IMAP#tls_verified?` is `true`, before using the connection after `#starttls`.",
"id": "GHSA-vcgp-9326-pqcp",
"modified": "2026-05-14T20:48:01Z",
"published": "2026-05-04T22:01:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42246"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/net-imap"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.3.10"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42246.yml"
},
{
"type": "WEB",
"url": "https://nostarttls.secvuln.info"
},
{
"type": "WEB",
"url": "https://www.rfc-editor.org/info/rfc8314"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "net-imap vulnerable to STARTTLS stripping via invalid response timing"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.