{"url":"http://public2.vulnerablecode.io/api/packages/561396?format=json","purl":"pkg:composer/swiftmailer/swiftmailer@5.3.0","type":"composer","namespace":"swiftmailer","name":"swiftmailer","version":"5.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.2.5","latest_non_vulnerable_version":"6.2.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/182632?format=json","vulnerability_id":"VCID-evnd-7n6n-cuck","summary":"security update","references":[{"reference_url":"http://packetstormsecurity.com/files/140290/SwiftMailer-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/140290/SwiftMailer-Remote-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10074","reference_id":"","reference_type":"","scores":[{"value":"0.73109","scoring_system":"epss","scoring_elements":"0.98808","published_at":"2026-06-11T12:55:00Z"},{"value":"0.73109","scoring_system":"epss","scoring_elements":"0.98812","published_at":"2026-06-12T12:55:00Z"},{"value":"0.73109","scoring_system":"epss","scoring_elements":"0.98814","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10074"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10074","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10074"},{"reference_url":"http://seclists.org/fulldisclosure/2016/Dec/86","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2016/Dec/86"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/CVE-2016-10074.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/CVE-2016-10074.yaml"},{"reference_url":"https://github.com/swiftmailer/swiftmailer/blob/5.x/CHANGES","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/swiftmailer/swiftmailer/blob/5.x/CHANGES"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10074","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10074"},{"reference_url":"https://www.exploit-db.com/exploits/40972","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/40972"},{"reference_url":"https://www.exploit-db.com/exploits/40986","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/40986"},{"reference_url":"https://www.exploit-db.com/exploits/42221","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/42221"},{"reference_url":"http://www.debian.org/security/2017/dsa-3769","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2017/dsa-3769"},{"reference_url":"http://www.securityfocus.com/bid/95140","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/95140"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849626","reference_id":"849626","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849626"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/40972.php","reference_id":"CVE-2016-10074","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/40972.php"},{"reference_url":"https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html","reference_id":"CVE-2016-10074","reference_type":"exploit","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html"},{"reference_url":"https://github.com/advisories/GHSA-pr44-4jfr-286m","reference_id":"GHSA-pr44-4jfr-286m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pr44-4jfr-286m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/386464?format=json","purl":"pkg:composer/swiftmailer/swiftmailer@5.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-u5a8-nh9r-93bw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/swiftmailer/swiftmailer@5.4.5"}],"aliases":["CVE-2016-10074","GHSA-pr44-4jfr-286m"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-evnd-7n6n-cuck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39950?format=json","vulnerability_id":"VCID-u5a8-nh9r-93bw","summary":"Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project. This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. Symfony 1 depends on Swift Mailer which is bundled by default in vendor directory in the default installation since 1.3.0. Swift Mailer classes implement some `__destruct()` methods. These methods are called when php destroys the object in memory. However, it is possible to include any object type in `$this->_keys` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on foreach($this->_keys ...) for any class implementing ArrayAccess interface. This may allow an attacker to execute any PHP command which leads to remote code execution. This issue has been addressed in version 1.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28859","reference_id":"","reference_type":"","scores":[{"value":"0.05107","scoring_system":"epss","scoring_elements":"0.90051","published_at":"2026-06-11T12:55:00Z"},{"value":"0.05107","scoring_system":"epss","scoring_elements":"0.90088","published_at":"2026-06-14T12:55:00Z"},{"value":"0.05107","scoring_system":"epss","scoring_elements":"0.9009","published_at":"2026-06-13T12:55:00Z"},{"value":"0.05107","scoring_system":"epss","scoring_elements":"0.90082","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28859"},{"reference_url":"https://github.com/FriendsOfSymfony1/symfony1","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony1/symfony1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28859","reference_id":"CVE-2024-28859","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28859"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml","reference_id":"CVE-2024-28859.YAML","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/symfony1/CVE-2024-28859.yaml","reference_id":"CVE-2024-28859.YAML","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/symfony1/CVE-2024-28859.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/CVE-2024-28859.yaml","reference_id":"CVE-2024-28859.YAML","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/CVE-2024-28859.yaml"},{"reference_url":"https://github.com/FriendsOfSymfony1/symfony1/commit/edb850f94fb4de18ca53d0d1824910d6e8130166","reference_id":"edb850f94fb4de18ca53d0d1824910d6e8130166","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-18T14:49:46Z/"}],"url":"https://github.com/FriendsOfSymfony1/symfony1/commit/edb850f94fb4de18ca53d0d1824910d6e8130166"},{"reference_url":"https://github.com/advisories/GHSA-wjv8-pxr6-5f4r","reference_id":"GHSA-wjv8-pxr6-5f4r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wjv8-pxr6-5f4r"},{"reference_url":"https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r","reference_id":"GHSA-wjv8-pxr6-5f4r","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-18T14:49:46Z/"}],"url":"https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29887?format=json","purl":"pkg:composer/swiftmailer/swiftmailer@6.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/swiftmailer/swiftmailer@6.2.5"}],"aliases":["CVE-2024-28859","GHSA-wjv8-pxr6-5f4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u5a8-nh9r-93bw"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/swiftmailer/swiftmailer@5.3.0"}