Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

Description Symfony\Component\Mime\Address is the value-object every Symfony Mailer address to/cc/bcc/from/reply-to flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email...

Mailpit < 1.28.2 - SMTP CRLF Injection

Mailpit 1.28 contains a header injection caused by insufficient regex validation of RCPT TO and MAIL FROM addresses in the SMTP server, letting attackers inject arbitrary SMTP headers, exploit requires crafted email addresses id: CVE-2026-23829 info: name: Mailpit 1.28.2 - SMTP CRLF Injection...

CVE-2026-2442 Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences 'CRLF Injection' in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on...

CVE-2026-27443 S/MIME Decryption Tag Sanitization Bypass

SEPPmail Secure Email Gateway before version 15.0.1 does not properly sanitize the headers from S/MIME protected MIME entities, allowing an attacker to control trusted headers...

EUVD-2002-1818

Malware in sbrugna...

EUVD-2002-0487

Malware in sbrugna...

CPython 安全漏洞

CPython is a Python interpreter implemented in C from the Python Foundation. A security vulnerability exists in CPython that stems from commas being Unicode-encoded when collapsing address lists, which could cause mail servers to misinterpret address headers...

PT-2024-7272 · Dovecot +10 · Dovecot +10

Name of the Vulnerable Software and Affected Versions: Dovecot affected versions not specified Description: The issue is related to resource exhaustion when parsing messages with very large headers. The message-parser reads reasonably sized chunks of the message, but when it feeds them to the...

mail-internals use-after-free vulnerability in `vec_insert_bytes`

Incorrect reallocation logic in the function vecinsertbytes causes a use-after-free. This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally. The mail-\ suite is unmaintained and the upstream sources have...

feembox (>=0.1.0 <=0.1.1), mail (>=0.6.0 <=0.7.0) +5 more potentially affected by unknown CVE via mail-internals (=0.2.3)

mail-internals CARGO version =0.2.3 is affected by a known vulnerability. The following packages have a transitive dependency on mail-internals and may be impacted: - feembox =0.1.0, =0.6.0, =0.6.0, =0.6.0, =0.2.0, =0.6.0, =0.1.0, =0.1.2 Source cves: unknown CVE Source advisory:...

Use-after-free in `vec_insert_bytes`

Incorrect reallocation logic in the function vecinsertbytes causes a use-after-free. This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally. The mail-\ suite is unmaintained and the upstream sources have...

SUSE CVE-2019-11049

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations...

Security update for roundcubemail (important)

openSUSE Security Update: Security update for roundcubemail Announcement ID: openSUSE-SU-2022:10148-1 Rating: important References: 1180132 1180399 Cross-References: CVE-2019-10740 CVE-2020-12641 CVE-2020-16145 CVE-2020-35730 CVSS scores: CVE-2019-10740 NVD : 4.3...

GHSA-P7VM-PHXX-G722 Improper Input Validation in Apache Commons Email

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers...

PT-2021-19617 · Axis Communications +1 · Axis Os +3

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue is related to a user-controlled parameter in the SMTP test functionality that is not correctly validated. This allows an attacker to add...

Axis Os 注入漏洞

Axis Os is an edge device operating system from Axis of Sweden. An injection vulnerability exists in Axis devices AXIS OS version 5.51 and later versions, which stems from a failure to properly validate a control parameter related to the SMTP test function, and as a result, it is possible to add...

SUSE: Security Advisory (SUSE-SU-2019:0414-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2019-12154 · Php +1 · Php +1

Name of the Vulnerable Software and Affected Versions: PHP versions 7.3.x through 7.3.12 PHP version 7.4.0 Description: The issue arises when custom headers are supplied to the mail function in lowercase, resulting in double-freeing certain memory locations due to a mistake introduced in a specif...

openSUSE Security Update : dovecot23 (openSUSE-2019-243)

This update for dovecot23 fixes the following issues : dovecot was updated to 2.3.3 release, bringing lots of bugfixes bsc1124356. Also the following security issue was fixed : - CVE-2019-3814: A vulnerability in Dovecot related to SSL client certificate authentication was fixed bsc1123022 The...

CVE-2017-9801

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers...