VulnerableCode Package Details - pkg:deb/debian/libphp-phpmailer@6.2.0-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-jca1-hyks-kud3 Aliases: CVE-2021-3603 GHSA-77mr-wc79-m8j3	PHPMailer untrusted code may be run from an overridden address validator If a function is defined that has the same name as the default built-in email address validation scheme (`php`), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable `php` was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling `validateAddress()`. ### Impact Low impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway. ### Patches This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break. ### Workarounds Inject your own email validator function. ### References Reported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/). [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603) ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer) * [Email us](mailto:phpmailer@synchromedia.co.uk).	6.6.3-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jca1-hyks-kud3
Aliases:
CVE-2021-3603
GHSA-77mr-wc79-m8j3

PHPMailer untrusted code may be run from an overridden address validator If a function is defined that has the same name as the default built-in email address validation scheme (`php`), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable `php` was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling `validateAddress()`. ### Impact Low impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway. ### Patches This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break. ### Workarounds Inject your own email validator function. ### References Reported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/). [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603) ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer) * [Email us](mailto:phpmailer@synchromedia.co.uk).

6.6.3-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-16kp-5zpw-fbha	Insufficient output escaping of attachment names in PHPMailer ### Impact CWE-116: Incorrect output escaping. An attachment added like this (note the double quote within the attachment name, which is entirely valid): $mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg'); Will result in a message containing these headers: Content-Type: application/octet-stream; name="filename.html";.jpg" Content-Disposition: attachment; filename="filename.html";.jpg" The attachment will be named `filename.html`, and the trailing `";.jpg"` will be ignored. Mail filters that reject `.html` attachments but permit `.jpg` attachments may be fooled by this. Note that the MIME type itself is obtained automatically from the source filename (in this case `attachment.tmp`, which maps to a generic `application/octet-stream` type), and not the name given to the attachment (though these are the same if a separate name is not provided), though it can be set explicitly in other parameters to attachment methods. ### Patches Patched in PHPMailer 6.1.6 by escaping double quotes within the name using a backslash, as per RFC822 section 3.4.1, resulting in correctly escaped headers like this: Content-Type: application/octet-stream; name="filename.html\";.jpg" Content-Disposition: attachment; filename="filename.html\";.jpg" ### Workarounds Reject or filter names and filenames containing double quote (`"`) characters before passing them to attachment functions such as `addAttachment()`. ### References [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). [PHPMailer 6.1.6 release](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6) ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PHPMailer repo](https://github.com/PHPMailer/PHPMailer/issues)	CVE-2020-13625 GHSA-f7hx-fqxw-rvvj
VCID-4mjb-ur86-hkaz	Object injection in PHPMailer/PHPMailer ### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like any kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in any PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to all user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.	CVE-2020-36326 GHSA-m298-fh5c-jc66

Vulnerability

Summary

Aliases

VCID-16kp-5zpw-fbha

Insufficient output escaping of attachment names in PHPMailer ### Impact CWE-116: Incorrect output escaping. An attachment added like this (note the double quote within the attachment name, which is entirely valid): $mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg'); Will result in a message containing these headers: Content-Type: application/octet-stream; name="filename.html";.jpg" Content-Disposition: attachment; filename="filename.html";.jpg" The attachment will be named `filename.html`, and the trailing `";.jpg"` will be ignored. Mail filters that reject `.html` attachments but permit `.jpg` attachments may be fooled by this. Note that the MIME type itself is obtained automatically from the *source filename* (in this case `attachment.tmp`, which maps to a generic `application/octet-stream` type), and not the *name* given to the attachment (though these are the same if a separate name is not provided), though it can be set explicitly in other parameters to attachment methods. ### Patches Patched in PHPMailer 6.1.6 by escaping double quotes within the name using a backslash, as per RFC822 section 3.4.1, resulting in correctly escaped headers like this: Content-Type: application/octet-stream; name="filename.html\";.jpg" Content-Disposition: attachment; filename="filename.html\";.jpg" ### Workarounds Reject or filter names and filenames containing double quote (`"`) characters before passing them to attachment functions such as `addAttachment()`. ### References [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). [PHPMailer 6.1.6 release](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6) ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PHPMailer repo](https://github.com/PHPMailer/PHPMailer/issues)

CVE-2020-13625
GHSA-f7hx-fqxw-rvvj

VCID-4mjb-ur86-hkaz

Object injection in PHPMailer/PHPMailer ### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.

CVE-2020-36326
GHSA-m298-fh5c-jc66

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:29:39.763466+00:00	Debian Importer	Affected by	VCID-jca1-hyks-kud3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-15T20:42:33.692677+00:00	Debian Oval Importer	Fixing	VCID-16kp-5zpw-fbha	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T16:49:37.168758+00:00	Debian Oval Importer	Fixing	VCID-4mjb-ur86-hkaz	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-13T07:04:59.942192+00:00	Debian Importer	Affected by	VCID-jca1-hyks-kud3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T20:23:36.192308+00:00	Debian Oval Importer	Fixing	VCID-16kp-5zpw-fbha	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T16:36:24.320788+00:00	Debian Oval Importer	Fixing	VCID-4mjb-ur86-hkaz	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-08T20:04:12.515427+00:00	Debian Oval Importer	Fixing	VCID-16kp-5zpw-fbha	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T18:42:19.039128+00:00	Debian Importer	Affected by	VCID-jca1-hyks-kud3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T16:27:13.014156+00:00	Debian Oval Importer	Fixing	VCID-4mjb-ur86-hkaz	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0