Phpmailer/phpmailer

This hub aggregates every CVE we track for Phpmailer/phpmailer, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 14 most recently published vulnerabilities affecting Phpmailer/phpmailer.

• CVE-2021-3603Inclusion of Functionality from Untrusted Control Sphere in PHPMailer/PHPMailer8.1Jun 17, 2021
• CVE-2021-34551PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.8.1Jun 16, 2021
• CVE-2020-36326PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a fu...9.8Apr 28, 2021
• CVE-2020-13625PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or...7.5Jun 8, 2020
• CVE-2018-19296PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.8.8Nov 16, 2018
• CVE-2017-11503PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.6.1Jul 20, 2017
• CVE-2017-5223An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is ...5.5Jan 16, 2017
• CVE-2016-10033The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (...KEV9.8Dec 30, 2016
• CVE-2016-10045The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction ...9.8Dec 30, 2016
• CVE-2015-8476Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in cl...5.0Dec 16, 2015
• CVE-2012-0796class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated u...4.0Jul 17, 2012
• CVE-2008-5619html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote atta...10.0Dec 17, 2008
• CVE-2007-3215PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.6.8Jun 14, 2007
• CVE-2006-5734Multiple PHP remote file inclusion vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) section parameter in (a) documentation/common/frame_to...7.5Nov 6, 2006