Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pgqp-64zv-8fc3
Vulnerability ID VCID-pgqp-64zv-8fc3
Aliases CVE-2015-9097
GHSA-q86f-fmqf-qrf6
Summary SMTP Injection via to/from addresses The mail package does not disallow CRLF in email addresses; an attacker can inject SMTP commands in specially crafted email addresses passed to `RCPT TO` and `MAIL FROM`.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01021 https://api.first.org/data/v1/epss?cve=CVE-2015-9097
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q86f-fmqf-qrf6
Reference id Reference type URL
http://openwall.com/lists/oss-security/2015/12/11/3
https://api.first.org/data/v1/epss?cve=CVE-2015-9097
https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83
https://github.com/mikel/mail/pull/1097
https://github.com/rubysec/ruby-advisory-db/issues/215
https://hackerone.com/reports/137631
https://rubysec.com/advisories/mail-OSVDB-131677
http://www.mbsd.jp/Whitepaper/smtpi.pdf
CVE-2015-9097 https://nvd.nist.gov/vuln/detail/CVE-2015-9097
GHSA-q86f-fmqf-qrf6 https://github.com/advisories/GHSA-q86f-fmqf-qrf6
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.77536
EPSS Score 0.01021
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:52:49.754087+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/mail/CVE-2015-9097.yml 38.6.0