Skip to main content

Symfony Mailer EUVDEUVD-2026-44370

| CVE-2026-45068 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-27 https://github.com/symfony/symfony GHSA-xx3c-qf5g-hc39
8.7
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

AC:H because exploitation needs the non-default sendmail '-t' mode plus an app path passing attacker input as a recipient; PR:N/UI:N per the injection reaching sendmail directly; integrity-only impact (I:H, C:N, A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 20:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 20:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 23:19 vuln.today
Analysis Generated
May 27, 2026 - 23:19 vuln.today

DescriptionCVE.org

Description

Symfony Mailer selects a transport via the MAILER_DSN environment variable / configuration (e.g. smtp://..., sendmail://..., native://default). SendmailTransport invokes the local sendmail binary and supports two modes: -bs (speak SMTP over stdin: the default) and -t (read the message on stdin, pass recipients as command-line arguments).

In -t mode, recipient addresses are appended to the sendmail command line without a -- end-of-options separator. A recipient address beginning with - (which Symfony\Component\Mime\Address accepts as valid) is therefore interpreted by sendmail as a command-line option rather than an address.

Resolution

The SendmailTransport transport now ensure -- is set before the list of recipients.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

AnalysisAI

Argument (option) injection in Symfony Mailer's SendmailTransport lets a dash-prefixed recipient address be interpreted as a sendmail command-line flag, allowing an attacker who controls a recipient value to manipulate how the local sendmail binary is invoked. It affects symfony/mailer (and the monolithic symfony/symfony) before 5.4.52, 6.4.40, 7.4.12 and 8.0.12 when the transport runs in -t mode. No public exploit identified at time of analysis; EPSS is low (0.06%, 20th percentile) and the issue is not in CISA KEV, but the NVD CVSS 4.0 score is 8.7 (High) driven by a high integrity impact.

Technical ContextAI

The affected component is Symfony's Mailer, specifically the SendmailTransport class (pkg:composer/symfony_mailer, also shipped inside the monolithic pkg:composer/symfony_symfony). Symfony Mailer chooses a transport from the MAILER_DSN setting; the sendmail:// transport shells out to the local sendmail binary. Sendmail supports -bs (SMTP over stdin - Symfony's default and NOT vulnerable) and -t (recipients passed as command-line arguments). The root cause is CWE-88 (Argument Injection / improper neutralization of argument delimiters): in -t mode the recipient addresses were appended to the command line without a -- end-of-options separator. Because Symfony\Component\Mime\Address accepts addresses that begin with -, such a value is parsed by sendmail as an option (e.g. -C, -X, -O) rather than as a destination. The commit diff (c45144862dc289d03952f41f6078174089a3afc6) confirms the fix simply appends ' --' before the recipient list.

RemediationAI

Vendor-released patch: upgrade to symfony/mailer (or symfony/symfony) 5.4.52, 6.4.40, 7.4.12, or 8.0.12 depending on your release line, via composer update symfony/mailer - this adds the -- end-of-options separator before recipients (commit c45144862dc289d03952f41f6078174089a3afc6). Consult the advisory at https://github.com/symfony/symfony/security/advisories/GHSA-xx3c-qf5g-hc39 and release notes at https://github.com/symfony/symfony/releases/tag/v7.4.12 (and the matching 5.4.52 / 6.4.40 / 8.0.12 tags). If you cannot patch immediately, switch the SendmailTransport out of -t mode back to the default -bs mode (SMTP over stdin), which is not affected - the trade-off is that -bs behaves slightly differently in how recipients are derived from the message. As a second compensating control, validate and reject recipient addresses that begin with - before they reach the mailer (e.g. constrain user-supplied email inputs), accepting that this adds application-side input validation you must maintain. These controls reduce exposure but the upgrade is the definitive fix.

Share

EUVD-2026-44370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy