Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-4mjb-ur86-hkaz
Summary
Object injection in PHPMailer/PHPMailer
### Impact
This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8.  An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info.

### Patches
This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected.

### Workarounds
Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer.

### Credit
This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.
Aliases
0
alias CVE-2020-36326
1
alias GHSA-m298-fh5c-jc66
Fixed_packages
0
url pkg:composer/phpmailer/phpmailer@6.4.1
purl pkg:composer/phpmailer/phpmailer@6.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-44d3-4txm-cyc3
1
vulnerability VCID-jca1-hyks-kud3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.4.1
1
url pkg:deb/debian/libphp-phpmailer@6.2.0-2?distro=trixie
purl pkg:deb/debian/libphp-phpmailer@6.2.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jca1-hyks-kud3
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.2.0-2%3Fdistro=trixie
2
url pkg:deb/debian/libphp-phpmailer@6.2.0-2
purl pkg:deb/debian/libphp-phpmailer@6.2.0-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jca1-hyks-kud3
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.2.0-2
3
url pkg:deb/debian/libphp-phpmailer@6.6.3-1?distro=trixie
purl pkg:deb/debian/libphp-phpmailer@6.6.3-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.6.3-1%3Fdistro=trixie
4
url pkg:deb/debian/libphp-phpmailer@6.9.3-1?distro=trixie
purl pkg:deb/debian/libphp-phpmailer@6.9.3-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.9.3-1%3Fdistro=trixie
Affected_packages
0
url pkg:composer/phpmailer/phpmailer@6.1.8
purl pkg:composer/phpmailer/phpmailer@6.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-44d3-4txm-cyc3
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-jca1-hyks-kud3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.1.8
1
url pkg:composer/phpmailer/phpmailer@6.2.0
purl pkg:composer/phpmailer/phpmailer@6.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-44d3-4txm-cyc3
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-jca1-hyks-kud3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.2.0
2
url pkg:composer/phpmailer/phpmailer@6.3.0
purl pkg:composer/phpmailer/phpmailer@6.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-44d3-4txm-cyc3
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-jca1-hyks-kud3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.3.0
3
url pkg:composer/phpmailer/phpmailer@6.4.0
purl pkg:composer/phpmailer/phpmailer@6.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-44d3-4txm-cyc3
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-jca1-hyks-kud3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.4.0
4
url pkg:deb/debian/libphp-phpmailer@1.73-2
purl pkg:deb/debian/libphp-phpmailer@1.73-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-7kvh-8w1t-2kej
3
vulnerability VCID-8msv-t7dq-qkd2
4
vulnerability VCID-cq4m-3q7u-cbg3
5
vulnerability VCID-f585-qf89-f7f3
6
vulnerability VCID-k96h-dr15-ufhv
7
vulnerability VCID-ywsv-ddhg-b7es
8
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@1.73-2
5
url pkg:deb/debian/libphp-phpmailer@1.73-2etch1
purl pkg:deb/debian/libphp-phpmailer@1.73-2etch1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-7kvh-8w1t-2kej
3
vulnerability VCID-8msv-t7dq-qkd2
4
vulnerability VCID-cq4m-3q7u-cbg3
5
vulnerability VCID-f585-qf89-f7f3
6
vulnerability VCID-k96h-dr15-ufhv
7
vulnerability VCID-ywsv-ddhg-b7es
8
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@1.73-2etch1
6
url pkg:deb/debian/libphp-phpmailer@1.73-6
purl pkg:deb/debian/libphp-phpmailer@1.73-6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-7kvh-8w1t-2kej
3
vulnerability VCID-8msv-t7dq-qkd2
4
vulnerability VCID-cq4m-3q7u-cbg3
5
vulnerability VCID-f585-qf89-f7f3
6
vulnerability VCID-ywsv-ddhg-b7es
7
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@1.73-6
7
url pkg:deb/debian/libphp-phpmailer@5.1-1
purl pkg:deb/debian/libphp-phpmailer@5.1-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-7kvh-8w1t-2kej
3
vulnerability VCID-8msv-t7dq-qkd2
4
vulnerability VCID-cq4m-3q7u-cbg3
5
vulnerability VCID-f585-qf89-f7f3
6
vulnerability VCID-ywsv-ddhg-b7es
7
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.1-1
8
url pkg:deb/debian/libphp-phpmailer@5.1-1%2Bdeb6u11
purl pkg:deb/debian/libphp-phpmailer@5.1-1%2Bdeb6u11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-7kvh-8w1t-2kej
3
vulnerability VCID-8msv-t7dq-qkd2
4
vulnerability VCID-cq4m-3q7u-cbg3
5
vulnerability VCID-f585-qf89-f7f3
6
vulnerability VCID-ywsv-ddhg-b7es
7
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.1-1%252Bdeb6u11
9
url pkg:deb/debian/libphp-phpmailer@5.1-1.1
purl pkg:deb/debian/libphp-phpmailer@5.1-1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-7kvh-8w1t-2kej
3
vulnerability VCID-8msv-t7dq-qkd2
4
vulnerability VCID-cq4m-3q7u-cbg3
5
vulnerability VCID-f585-qf89-f7f3
6
vulnerability VCID-ywsv-ddhg-b7es
7
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.1-1.1
10
url pkg:deb/debian/libphp-phpmailer@5.2.9%2Bdfsg-2
purl pkg:deb/debian/libphp-phpmailer@5.2.9%2Bdfsg-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-7kvh-8w1t-2kej
3
vulnerability VCID-8msv-t7dq-qkd2
4
vulnerability VCID-cq4m-3q7u-cbg3
5
vulnerability VCID-f585-qf89-f7f3
6
vulnerability VCID-ywsv-ddhg-b7es
7
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.2.9%252Bdfsg-2
11
url pkg:deb/debian/libphp-phpmailer@5.2.9%2Bdfsg-2%2Bdeb8u3
purl pkg:deb/debian/libphp-phpmailer@5.2.9%2Bdfsg-2%2Bdeb8u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-7kvh-8w1t-2kej
3
vulnerability VCID-cq4m-3q7u-cbg3
4
vulnerability VCID-f585-qf89-f7f3
5
vulnerability VCID-ywsv-ddhg-b7es
6
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.2.9%252Bdfsg-2%252Bdeb8u3
12
url pkg:deb/debian/libphp-phpmailer@5.2.14%2Bdfsg-2.3%2Bdeb9u1
purl pkg:deb/debian/libphp-phpmailer@5.2.14%2Bdfsg-2.3%2Bdeb9u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
2
vulnerability VCID-f585-qf89-f7f3
3
vulnerability VCID-zju7-7wax-zfhz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.2.14%252Bdfsg-2.3%252Bdeb9u1
13
url pkg:deb/debian/libphp-phpmailer@6.0.6-0.1
purl pkg:deb/debian/libphp-phpmailer@6.0.6-0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16kp-5zpw-fbha
1
vulnerability VCID-4mjb-ur86-hkaz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.0.6-0.1
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-36326
reference_id
reference_type
scores
0
value 0.00304
scoring_system epss
scoring_elements 0.53673
published_at 2026-04-12T12:55:00Z
1
value 0.00304
scoring_system epss
scoring_elements 0.53698
published_at 2026-04-18T12:55:00Z
2
value 0.00304
scoring_system epss
scoring_elements 0.53693
published_at 2026-04-16T12:55:00Z
3
value 0.00304
scoring_system epss
scoring_elements 0.53656
published_at 2026-04-13T12:55:00Z
4
value 0.00304
scoring_system epss
scoring_elements 0.5369
published_at 2026-04-11T12:55:00Z
5
value 0.00759
scoring_system epss
scoring_elements 0.73295
published_at 2026-04-04T12:55:00Z
6
value 0.00759
scoring_system epss
scoring_elements 0.73316
published_at 2026-04-09T12:55:00Z
7
value 0.00759
scoring_system epss
scoring_elements 0.73303
published_at 2026-04-08T12:55:00Z
8
value 0.00759
scoring_system epss
scoring_elements 0.73262
published_at 2026-04-01T12:55:00Z
9
value 0.00759
scoring_system epss
scoring_elements 0.73267
published_at 2026-04-07T12:55:00Z
10
value 0.00759
scoring_system epss
scoring_elements 0.73272
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-36326
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml
3
reference_url https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
4
reference_url https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1
5
reference_url https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-36326
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-36326
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988732
reference_id 988732
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988732
12
reference_url https://github.com/advisories/GHSA-m298-fh5c-jc66
reference_id GHSA-m298-fh5c-jc66
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m298-fh5c-jc66
Weaknesses
0
cwe_id 502
name Deserialization of Untrusted Data
description The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
1
cwe_id 641
name Improper Restriction of Names for Files and Other Resources
description The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score9.0 - 10.0
Exploitability0.5
Weighted_severity9.0
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-4mjb-ur86-hkaz