Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-gvkv-58vx-9ybk
Vulnerability ID VCID-gvkv-58vx-9ybk
Aliases CVE-2015-9097
GHSA-q86f-fmqf-qrf6
OSV-131677
Summary SMTP Injection via to/from addresses The mail package does not disallow CRLF in email addresses; an attacker can inject SMTP commands in specially crafted email addresses passed to `RCPT TO` and `MAIL FROM`.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
System Score Found at
cvssv3.1 6.1 http://openwall.com/lists/oss-security/2015/12/11/3
generic_textual MODERATE http://openwall.com/lists/oss-security/2015/12/11/3
epss 0.01021 https://api.first.org/data/v1/epss?cve=CVE-2015-9097
epss 0.01021 https://api.first.org/data/v1/epss?cve=CVE-2015-9097
cvssv3.1 6.1 https://github.com/advisories/GHSA-q86f-fmqf-qrf6
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q86f-fmqf-qrf6
generic_textual MODERATE https://github.com/advisories/GHSA-q86f-fmqf-qrf6
cvssv3.1 6.1 https://github.com/mikel/mail
generic_textual MODERATE https://github.com/mikel/mail
cvssv3.1 6.1 https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83
generic_textual MODERATE https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83
cvssv3.1 6.1 https://github.com/mikel/mail/pull/1097
generic_textual MODERATE https://github.com/mikel/mail/pull/1097
cvssv3.1 6.1 https://github.com/rubysec/ruby-advisory-db/issues/215
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/issues/215
cvssv3 6.1 https://hackerone.com/reports/137631
cvssv3.1 6.1 https://hackerone.com/reports/137631
generic_textual MODERATE https://hackerone.com/reports/137631
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2015-9097
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2015-9097
cvssv3.1 6.1 https://rubysec.com/advisories/mail-OSVDB-131677
generic_textual MODERATE https://rubysec.com/advisories/mail-OSVDB-131677
cvssv3.1 6.1 http://www.mbsd.jp/Whitepaper/smtpi.pdf
generic_textual MODERATE http://www.mbsd.jp/Whitepaper/smtpi.pdf
Reference id Reference type URL
http://openwall.com/lists/oss-security/2015/12/11/3
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-9097.json
https://api.first.org/data/v1/epss?cve=CVE-2015-9097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9097
https://github.com/advisories/GHSA-q86f-fmqf-qrf6
https://github.com/mikel/mail
https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83
https://github.com/mikel/mail/pull/1097
https://github.com/rubysec/ruby-advisory-db/issues/215
https://hackerone.com/reports/137631
https://nvd.nist.gov/vuln/detail/CVE-2015-9097
https://rubysec.com/advisories/mail-OSVDB-131677
http://www.mbsd.jp/Whitepaper/smtpi.pdf
1293598 https://bugzilla.redhat.com/show_bug.cgi?id=1293598
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at http://openwall.com/lists/oss-security/2015/12/11/3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/advisories/GHSA-q86f-fmqf-qrf6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mikel/mail
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mikel/mail/pull/1097
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rubysec/ruby-advisory-db/issues/215
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://hackerone.com/reports/137631
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2015-9097
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://rubysec.com/advisories/mail-OSVDB-131677
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at http://www.mbsd.jp/Whitepaper/smtpi.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.77578
EPSS Score 0.01021
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:36:55.969998+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/mail/CVE-2015-9097.yml 38.6.0