GHSA-7Q44-R25X-WM4Q Remote Code Execution vulnerability in PHPMailer 6.4.1 running on Windows

PHPMailer 6.4.1 contains a possible remote code execution vulnerability through the $langpath parameter of the setLanguage method. If the $langpath parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to create a remote mount on the server...

GHSA-M298-FH5C-JC66 Object injection in PHPMailer/PHPMailer

Impact This is a reintroduction of an earlier issue CVE-2018-19296 by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for .phar files. Exploitation requires that an attacker is able to provide...

Object injection via local phar file

This is a security release. SECURITY Fixes CVE-2020-36326, a regression of CVE-2018-19296 object injection introduced in 6.1.8, see SECURITY.md for details Reject more file paths that look like URLs, matching RFC3986 spec, blocking URLS using schemes such as ssh2 Ensure method signature consisten...