{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30227", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T17:23:59.797Z", "datePublished": "2026-03-06T21:07:49.691Z", "dateUpdated": "2026-03-09T20:54:29.184Z"}, "containers": {"cna": {"title": "MimeKit: CRLF Injection in Quoted Local-Part Enables SMTP Command Injection and Email Forgery", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx"}], "affected": [{"vendor": "jstedfast", "product": "MimeKit", "versions": [{"version": "< 4.15.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:07:49.691Z"}, "descriptions": [{"lang": "en", "value": "MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \\r\\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1."}], "source": {"advisory": "GHSA-g7hc-96xr-gvvx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30227", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:46:30.556894Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:29.184Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30227", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:46:30.556894Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:47:36.375Z"}}], "cna": {"title": "MimeKit: CRLF Injection in Quoted Local-Part Enables SMTP Command Injection and Email Forgery", "source": {"advisory": "GHSA-g7hc-96xr-gvvx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "jstedfast", "product": "MimeKit", "versions": [{"status": "affected", "version": "< 4.15.1"}]}], "references": [{"url": "https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx", "name": "https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \\r\\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:07:49.691Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30227", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:29.184Z", "dateReserved": "2026-03-04T17:23:59.797Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T21:07:49.691Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jstedfast:mimekit:*:*:*:*:*:*:*:*", "matchCriteriaId": "23724BF5-DA1C-4F23-BB68-30B4A6C6231B", "versionEndExcluding": "4.15.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \\r\\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1."}, {"lang": "es", "value": "MimeKit es una librer\u00eda C# que puede ser utilizada para la creaci\u00f3n y el an\u00e1lisis de mensajes utilizando la Extensi\u00f3n de Correo de Internet Multiprop\u00f3sito (MIME), tal como lo definen numerosas especificaciones del IETF. Antes de la versi\u00f3n 4.15.1, una vulnerabilidad de inyecci\u00f3n CRLF en MimeKit permite a un atacante incrustar \\r\\n en la parte local de la direcci\u00f3n del sobre SMTP (cuando la parte local es una cadena entre comillas). Esto no cumple con la RFC 5321 y puede resultar en inyecci\u00f3n de comandos SMTP (por ejemplo, inyectando comandos RCPT a / DATA / RSET adicionales) y/o inyecci\u00f3n de encabezados de correo, dependiendo de c\u00f3mo la aplicaci\u00f3n utilice MailKit/MimeKit para construir y enviar mensajes. El problema se vuelve explotable cuando el atacante puede influir en un valor de MailboxAddress (MAIL FROM / RCPT TO) que luego se serializa a una sesi\u00f3n SMTP. La RFC 5321 define expl\u00edcitamente la gram\u00e1tica de la parte local del buz\u00f3n SMTP y no permite CR (13) o LF (10) dentro de Quoted-string (los rangos qtextSMTP y quoted-pairSMTP excluyen caracteres de control). Los comandos SMTP son terminados por , haciendo que la inyecci\u00f3n CRLF en los argumentos de los comandos sea particularmente peligrosa. Este problema ha sido parcheado en la versi\u00f3n 4.15.1."}], "id": "CVE-2026-30227", "lastModified": "2026-03-12T15:34:59.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T21:16:16.607", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.15.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MimeKit", "source": "cna", "vendor": "jstedfast"}, "product": "mimekit", "vendor": "jstedfast"}], "analysis": {"en": {"generated_at": "2026-04-16T11:10:12.083998+00:00", "value": {"mitigation_remediation": ["Upgrade MimeKit to version 4.15.1 or later, which contains the CRLF injection fix.", "Validate all email address components before serialization; reject or escape any CR or LF characters in quoted local\u2011parts.", "Audit your application code to ensure MailboxAddress objects are constructed only from trusted data and that no raw strings are inserted into the local\u2011part."], "summary": {"action": "Apply Patch", "impact": "SMTP Command Injection"}, "threat_synthesis": {"affected_systems": "The vulnerable component is MimeKit, a C# library maintained by jstedfast. All releases prior to 4.15.1 are susceptible. Applications that use MimeKit to build or parse email messages and then send them via SMTP are affected if they construct a MailboxAddress with a quoted local\u2011part that is not properly sanitized.", "description_and_impact": "MimeKit contains a flaw that enables an attacker to inject CRLF sequences into a quoted local\u2011part of an email address during serialization to an SMTP session. The injection allows arbitrary SMTP commands, such as RCPT TO, DATA, or RSET, to be added, leading to mail header tampering or the forging of email messages. The issue violates RFC 5321 and is categorized as a CRLF injection (CWE\u201193), potentially compromising the integrity and authenticity of outgoing mail.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, while the EPSS score of 1% reflects a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to influence a MailboxAddress that is later serialized to an SMTP session, which is most likely in scenarios where user or untrusted data is used to form email addresses. Although a public exploit is not currently available, the potential for serious email tampering warrants timely remediation."}}}}, "created": "2026-03-09T10:06:53.067148+00:00", "updated": "2026-04-16T11:15:27.687552+00:00", "vendors": ["jstedfast", "jstedfast$PRODUCT$mimekit"]}