Symfony Mailer CVE-2026-45068
MEDIUM
GHSA-xx3c-qf5g-hc39
Lifecycle Timeline
2DescriptionNVD
Description
Symfony Mailer selects a transport via the MAILER_DSN environment variable / configuration (e.g. smtp://..., sendmail://..., native://default). SendmailTransport invokes the local sendmail binary and supports two modes: -bs (speak SMTP over stdin: the default) and -t (read the message on stdin, pass recipients as command-line arguments).
In -t mode, recipient addresses are appended to the sendmail command line without a -- end-of-options separator. A recipient address beginning with - (which Symfony\Component\Mime\Address accepts as valid) is therefore interpreted by sendmail as a command-line option rather than an address.
Resolution
The SendmailTransport transport now ensure -- is set before the list of recipients.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
AnalysisAI
Argument injection in Symfony Mailer's SendmailTransport component allows an attacker who controls recipient email addresses to inject arbitrary sendmail command-line options when the transport operates in -t mode. The flaw affects symfony/mailer and symfony/symfony across the 5.4, 6.x, and 7.x branches, with fixed releases confirmed at 5.4.52, 6.4.40, and 7.4.12. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today