SendmailTransport Vulnerability in Symfony PHP Framework
CVE-2026-45068
8.7HIGH
What is CVE-2026-45068?
A vulnerability in the SendmailTransport of the Symfony PHP framework allows for command injection when recipient addresses starting with a dash (-) are incorrectly handled. In versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, these addresses could be misinterpreted as command-line options, leading to potential exploitation. Users are advised to update to the latest versions to mitigate this issue. Reference links provide details on the fix and release notes.
Affected Version(s)
mailer < 5.4.52 < 5.4.52
mailer >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40
mailer >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
