29 matches found
EUVD-2026-36778
An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request...
CVE-2026-50880
An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request...
CVE-2026-50880
CVE-2026-50880 affects YouTransfer v1.0.6, specifically the sendmail transport integration component. The issue allows an attacker to execute arbitrary code by sending a crafted request. The cybersecurity metadata indicates a critical impact (CVSS 3.1: 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). C...
PT-2026-49321
An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request...
CVE-2026-50880
An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request...
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
Description Symfony Mailer selects a transport via the MAILERDSN environment variable / configuration e.g. smtp://..., sendmail://..., native://default. SendmailTransport invokes the local sendmail binary and supports two modes: -bs speak SMTP over stdin: the default and -t read the message on...
GHSA-XX3C-QF5G-HC39 Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
Description Symfony Mailer selects a transport via the MAILERDSN environment variable / configuration e.g. smtp://..., sendmail://..., native://default. SendmailTransport invokes the local sendmail binary and supports two modes: -bs speak SMTP over stdin: the default and -t read the message on...
PT-2026-44137
Description Symfony Mailer selects a transport via the MAILER DSN environment variable / configuration e.g. smtp://..., sendmail://..., native://default. SendmailTransport invokes the local sendmail binary and supports two modes: -bs speak SMTP over stdin: the default and -t read the message on...
Arbitrary Argument Injection
Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection via recipient handling in SendmailTransport when using sendmail -t mode. An attacker can inject arbitrary sendmail command-line options by supplying a recipient address beginning with -, as recipient address...
GHSA-4QPJ-GXXG-JQG4 Swiftmailer Sendmail transport arbitrary shell execution
Prior to 5.2.1, the sendmail transport SwiftTransportSendmailTransport was vulnerable to an arbitrary shell execution if the "From" header came from a non-trusted source and no "Return-Path" is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged ...
PT-2024-40077 · Unknown · Swiftmailer
Name of the Vulnerable Software and Affected Versions: SwiftMailer versions prior to 5.2.1 Description: The issue allows for arbitrary shell execution if the From header comes from a non-trusted source and no Return-Path is configured. This can be exploited when using the sendmail transport,...
Authenticated RCE through /admin/settings/email endpoint
Description Craftcms is vulnerable to Command Injection on the email settings, on the /admin/settings/email endpoint. An attacker can send a POST request with a specially crafted transportTypescraft\mail\transportadapters\Sendmailcommand= parameter to inject arbitrary commands that will be execut...
Remote command injection when using sendmail email transport
Impact Sites using the sendmail transport as part of their mail config are vulnerable to remote command injection due to a vulnerability in the nodemailer dependency. Ghost defaults to the direct transport so this is only exploitable if the sendmail transport is explicitly used. Patches Fixed in...
GHSA-WFRJ-QQC2-83CM Remote command injection when using sendmail email transport
Impact Sites using the sendmail transport as part of their mail config are vulnerable to remote command injection due to a vulnerability in the nodemailer dependency. Ghost defaults to the direct transport so this is only exploitable if the sendmail transport is explicitly used. Patches Fixed in...
Command Injection
Overview nodemailer before version 6.4.16 is vulnerable to command injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. Recommendation Upgrade to version 6.4.16 or later References - CVE - GitHub Advisory...
GHSA-48WW-J4FC-435P Command injection in nodemailer
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails...
Command injection in nodemailer
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails...
Command Injection
nodemailer is vulnerable to command injection. An attacker can inject malicious command flag via recipient email addresses in sendmail transport due to lack of validation for invalid email addresses...
CVE-2020-7769
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails...
DEBIAN-CVE-2020-7769
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails...