{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T06:48:37.757","vulnerabilities":[{"cve":{"id":"CVE-2026-30227","sourceIdentifier":"security-advisories@github.com","published":"2026-03-06T21:16:16.607","lastModified":"2026-03-12T15:34:59.480","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \\r\\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1."},{"lang":"es","value":"MimeKit es una librería C# que puede ser utilizada para la creación y el análisis de mensajes utilizando la Extensión de Correo de Internet Multipropósito (MIME), tal como lo definen numerosas especificaciones del IETF. Antes de la versión 4.15.1, una vulnerabilidad de inyección CRLF en MimeKit permite a un atacante incrustar \\r\\n en la parte local de la dirección del sobre SMTP (cuando la parte local es una cadena entre comillas). Esto no cumple con la RFC 5321 y puede resultar en inyección de comandos SMTP (por ejemplo, inyectando comandos RCPT a / DATA / RSET adicionales) y/o inyección de encabezados de correo, dependiendo de cómo la aplicación utilice MailKit/MimeKit para construir y enviar mensajes. El problema se vuelve explotable cuando el atacante puede influir en un valor de MailboxAddress (MAIL FROM / RCPT TO) que luego se serializa a una sesión SMTP. La RFC 5321 define explícitamente la gramática de la parte local del buzón SMTP y no permite CR (13) o LF (10) dentro de Quoted-string (los rangos qtextSMTP y quoted-pairSMTP excluyen caracteres de control). Los comandos SMTP son terminados por , haciendo que la inyección CRLF en los argumentos de los comandos sea particularmente peligrosa. Este problema ha sido parcheado en la versión 4.15.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-93"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:jstedfast:mimekit:*:*:*:*:*:*:*:*","versionEndExcluding":"4.15.1","matchCriteriaId":"23724BF5-DA1C-4F23-BB68-30B4A6C6231B"}]}]}],"references":[{"url":"https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}