Vulnerabilities > Phpmailer Project
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-17 | CVE-2021-3603 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). | 8.1 |
| 2021-06-16 | CVE-2021-34551 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname. | 8.1 |
| 2021-04-28 | CVE-2020-36326 | Deserialization of Untrusted Data vulnerability in multiple products PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. | 9.8 |
| 2020-06-08 | CVE-2020-13625 | Improper Encoding or Escaping of Output vulnerability in multiple products PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. | 7.5 |
| 2018-11-16 | CVE-2018-19296 | PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. | 8.8 |
| 2017-07-20 | CVE-2017-11503 | Cross-site Scripting vulnerability in PHPmailer Project PHPmailer 5.2.23 PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php. | 4.3 |
| 2017-01-16 | CVE-2017-5223 | Information Exposure vulnerability in PHPmailer Project PHPmailer An issue was discovered in PHPMailer before 5.2.22. | 2.1 |
| 2016-12-30 | CVE-2016-10045 | Command Injection vulnerability in multiple products The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. | 7.5 |
| 2016-12-30 | CVE-2016-10033 | Argument Injection or Modification vulnerability in multiple products The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. | 9.8 |
| 2015-12-16 | CVE-2015-8476 | Improper Input Validation vulnerability in multiple products Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796. | 5.0 |