CVE-2026-42499EXPLOITEDPATCHED

apache · james

Quadratic string concatenation in consumePhrase in net/mail

Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Affected Products

Vendor	Product	Versions
apache	james	0, 1.26.0-0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
golang	go	cert_advisory	90%

References

Related News (3 articles)

Tier A

Microsoft MSRC1d ago

CVE-2026-42499 Quadratic string concatenation in consumePhrase in net/mail

→ No new info (linked only)

Tier B

BSI Advisories3d ago

[NEU] [mittel] Golang Go: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB4d ago

CVE-2026-42499 | net-mail up to 1.25.9/1.26.2 on Go Email Address algorithmic complexity

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.101.26.3

PublishedMay 7, 2026

Last enriched3d agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-29129EXP

Apache Tomcat: TLS cipher order is not preserved

Trending: 68

HIGHCVE-2026-23918EXP

Apache HTTP Server: http2: double free and possible RCE on early reset

Trending: 62

CRITICALCVE-2026-29145

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Trending: 55

HIGHCVE-2026-24880

Apache Tomcat: Request smuggling via invalid chunk extension

Trending: 53

MEDIUMCVE-2026-32990

Apache Tomcat: Fix for CVE-2025-66614 is incomplete

Trending: 49

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 7, 2026

Discovered by ZDM

May 7, 2026

Updated: severity, affectedVersions, activelyExploited, tags

May 7, 2026

Actively Exploited

May 8, 2026

Patch Available

May 8, 2026

Version History

Last enriched 3d ago

v2Tier C3d ago

Updated severity to HIGH, added affected versions 1.25.9 and 1.26.2, and noted that no exploit is available.

severityaffectedVersionsactivelyExploitedtags

via VulDB

v14d ago

Initial creation