{"id":"CVE-2026-30227","summary":"MimeKit: CRLF Injection in Quoted Local-Part Enables SMTP Command Injection and Email Forgery","details":"MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \\r\\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by \u003cCRLF\u003e, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.","aliases":["GHSA-g7hc-96xr-gvvx"],"modified":"2026-03-14T15:06:00.921763Z","published":"2026-03-06T21:07:49.691Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30227.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-93"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30227.json"},{"type":"ADVISORY","url":"https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30227"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jstedfast/mimekit","events":[{"introduced":"0"},{"fixed":"5c79dcc7c7c6c238aec40747ecf7481393a3d04e"}]}],"versions":["1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.10.0","1.10.1","1.12.0","1.14.0","1.14.1","1.16.0","1.16.1","1.16.2","1.18.0","1.18.1","1.2.0","1.2.1","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17","1.2.18","1.2.19","1.2.2","1.2.20","1.2.21","1.2.22","1.2.23","1.2.24","1.2.25","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.20.0","1.22.0","1.4.0","1.4.1","1.4.2","1.6.0","1.8.0","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.5.1","2.10.0","2.10.1","2.11.0","2.12.0","2.13.0","2.14.0","2.15.0","2.15.1","2.2.0","2.3.0","2.3.1","2.3.2","2.4.0","2.4.1","2.5.0","2.5.1","2.5.2","2.6.0","2.7.0","2.8.0","2.9.1","2.9.2","3.0.0","3.1.0","3.1.1","3.2.0","3.3.0","3.4.0","3.4.1","3.4.2","3.4.3","3.5.0","3.6.0","3.6.1","4.0.0","4.1.0","4.10.0","4.11.0","4.12.0","4.13.0","4.14.0","4.15.0","4.2.0","4.3.0","4.4.0","4.5.0","4.6.0","4.7.0","4.7.1","4.8.0","4.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30227.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}