Phpmailer
CVE-2018-19296
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
AnalysisAI
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. Affected products include: Phpmailer Project Phpmailer, Debian Debian Linux, Fedoraproject Fedora, Wordpress. Version information: before 5.2.27.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote charac
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php. Rated medium s
An issue was discovered in PHPMailer before 5.2.22. Rated medium severity (CVSS 5.5), this vulnerability is low attack c
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is inje
PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname. Ra
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today