Email Address Validation Flaw in Symfony Mailer Affects Multiple Versions
CVE-2026-45067

6.3MEDIUM

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-45067?

The Symfony Mailer contains a vulnerability in its handling of email addresses within the Address component. This issue arises when the constructor incorrectly allows email addresses with line breaks in the local-part, which are RFC-5322 quoted strings containing raw bytes. When these addresses are processed, the embedded CRLF can be transformed into new mail headers or SMTP commands, potentially leading to address spoofing and unauthorized actions within email communications. A patch has been released to reject such invalid addresses, thereby securing the integrity of email header information.

Affected Version(s)

symfony < 5.4.52 < 5.4.52

symfony >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40

symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.