10 matches found
CVE-2026-45755
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse received the configured webhook secret but ignored the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to inject forged...
CVE-2026-45755
The CVE-2026-45755 issue affects Symfonyâs Mailtrap Mailer Bridge (package symfony/mailtrap-mailer). The MailtrapRequestParser::doParse() method accepts the webhook payload using a configured secret but does not verify the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to forg...
CVE-2026-45755 Symfony: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC â Unauthenticated Webhook Event Injection
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse received the configured webhook secret but ignored the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to inject forged...
GHSA-59F3-VP2F-MP9W Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC â Unauthenticated Webhook Event Injection
Description The Mailtrap mailer bridge ships a webhook request parser used to authenticate and decode the event callbacks Mailtrap POSTs to an application's webhook endpoint. Its doParseRequest $request, \SensitiveParameter string $secret method receives the configured webhook secret but never...
PT-2026-44547
Name of the Vulnerable Software and Affected Versions Mailtrap mailer bridge versions prior to 7.4 Description The webhook request parser used to authenticate and decode event callbacks fails to verify the X-Mt-Signature HMAC header. Specifically, the doParseRequest $request, SensitiveParameter...
Missing Authentication for Critical Function
Overview symfony/mailtrap-mailer is a Symfony Mailtrap Mailer Bridge Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the doParse webhook request parser in the Mailtrap mailer bridge. An attacker can submit forged webhook events because the pars...
FluentSMTP < 2.2.3 - Stored XSS via Email Logs
The plugin does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks XSS when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML. PoC XSS Payload : Steps to reproduce: 1...
FluentSMTP < 2.2.3 - Stored XSS via Email Logs
The plugin does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks XSS when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML. XSS Payload : Steps to reproduce: 1. Install...
CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45755...
CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45755...