Skip to main content

Phpmailer

8 CVEs product

Monthly

CVE-2021-3603 PHP HIGH PATCH This Week

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Code Injection Phpmailer Fedora
NVD GitHub
CVSS 3.1
8.1
EPSS
2.3%
CVE-2021-34551 PHP HIGH PATCH This Week

PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft File Upload RCE Phpmailer Fedora
NVD GitHub
CVSS 3.1
8.1
EPSS
2.8%
CVE-2020-13625 PHP HIGH POC PATCH This Week

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Phpmailer Fedora Ubuntu Linux Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
3.8%
CVE-2018-19296 PHP HIGH PATCH This Week

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Phpmailer Debian Linux Fedora WordPress
NVD GitHub
CVSS 3.1
8.8
EPSS
2.2%
CVE-2017-11503 PHP MEDIUM POC PATCH This Month

PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Phpmailer
NVD GitHub
CVSS 3.0
6.1
EPSS
2.9%
CVE-2017-5223 PHP MEDIUM POC PATCH This Month

An issue was discovered in PHPMailer before 5.2.22. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Phpmailer
NVD GitHub Exploit-DB VulDB
CVSS 3.0
5.5
EPSS
2.9%
CVE-2016-10045 PHP CRITICAL POC PATCH THREAT Act Now

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.4%.

Command Injection RCE Phpmailer WordPress Joomla
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
93.4%
Threat
6.3
CVE-2015-8476 PHP MEDIUM PATCH This Month

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

PHP Code Injection Debian Linux Phpmailer
NVD GitHub
CVSS 2.0
5.0
EPSS
0.9%
EPSS 2% CVSS 8.1
HIGH PATCH This Week

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Code Injection Phpmailer Fedora
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft File Upload RCE +2
NVD GitHub
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Phpmailer Fedora +2
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Phpmailer Debian Linux +2
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC PATCH This Month

PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Phpmailer
NVD GitHub
EPSS 3% CVSS 5.5
MEDIUM POC PATCH This Month

An issue was discovered in PHPMailer before 5.2.22. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Phpmailer
NVD GitHub Exploit-DB VulDB
EPSS 93% 6.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.4%.

Command Injection RCE Phpmailer +2
NVD GitHub Exploit-DB
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

PHP Code Injection Debian Linux +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy