SendmailTransport Vulnerability in Symfony PHP Framework
CVE-2026-45068

8.7HIGH

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45068?

A vulnerability in the SendmailTransport of the Symfony PHP framework allows for command injection when recipient addresses starting with a dash (-) are incorrectly handled. In versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, these addresses could be misinterpreted as command-line options, leading to potential exploitation. Users are advised to update to the latest versions to mitigate this issue. Reference links provide details on the fix and release notes.

Affected Version(s)

mailer < 5.4.52 < 5.4.52

mailer >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40

mailer >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.