CVE-2026-30227

MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jstedfast:mimekit:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-06 21:16

Updated : 2026-03-12 15:34

NVD link : CVE-2026-30227

Mitre link : CVE-2026-30227

CVE.ORG link : CVE-2026-30227

JSON object : View

Products Affected

jstedfast

mimekit

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

{"id": "CVE-2026-30227", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T21:16:16.607", "references": [{"url": "https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-93"}]}], "descriptions": [{"lang": "en", "value": "MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \\r\\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1."}, {"lang": "es", "value": "MimeKit es una librer\u00eda C# que puede ser utilizada para la creaci\u00f3n y el an\u00e1lisis de mensajes utilizando la Extensi\u00f3n de Correo de Internet Multiprop\u00f3sito (MIME), tal como lo definen numerosas especificaciones del IETF. Antes de la versi\u00f3n 4.15.1, una vulnerabilidad de inyecci\u00f3n CRLF en MimeKit permite a un atacante incrustar \\r\\n en la parte local de la direcci\u00f3n del sobre SMTP (cuando la parte local es una cadena entre comillas). Esto no cumple con la RFC 5321 y puede resultar en inyecci\u00f3n de comandos SMTP (por ejemplo, inyectando comandos RCPT a / DATA / RSET adicionales) y/o inyecci\u00f3n de encabezados de correo, dependiendo de c\u00f3mo la aplicaci\u00f3n utilice MailKit/MimeKit para construir y enviar mensajes. El problema se vuelve explotable cuando el atacante puede influir en un valor de MailboxAddress (MAIL FROM / RCPT TO) que luego se serializa a una sesi\u00f3n SMTP. La RFC 5321 define expl\u00edcitamente la gram\u00e1tica de la parte local del buz\u00f3n SMTP y no permite CR (13) o LF (10) dentro de Quoted-string (los rangos qtextSMTP y quoted-pairSMTP excluyen caracteres de control). Los comandos SMTP son terminados por , haciendo que la inyecci\u00f3n CRLF en los argumentos de los comandos sea particularmente peligrosa. Este problema ha sido parcheado en la versi\u00f3n 4.15.1."}], "lastModified": "2026-03-12T15:34:59.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jstedfast:mimekit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23724BF5-DA1C-4F23-BB68-30B4A6C6231B", "versionEndExcluding": "4.15.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}