{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48029?format=json","vulnerability_id":"VCID-4mjb-ur86-hkaz","summary":"Object injection in PHPMailer/PHPMailer\n### Impact\nThis is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8.  An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info.\n\n### Patches\nThis issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected.\n\n### Workarounds\nValidate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer.\n\n### Credit\nThis issue was found by Fariskhi Vidyan, reported and managed via Tidelift.","aliases":[{"alias":"CVE-2020-36326"},{"alias":"GHSA-m298-fh5c-jc66"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77352?format=json","purl":"pkg:composer/phpmailer/phpmailer@6.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-44d3-4txm-cyc3"},{"vulnerability":"VCID-jca1-hyks-kud3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/928209?format=json","purl":"pkg:deb/debian/libphp-phpmailer@6.2.0-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jca1-hyks-kud3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.2.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1052190?format=json","purl":"pkg:deb/debian/libphp-phpmailer@6.2.0-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jca1-hyks-kud3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.2.0-2"},{"url":"http://public2.vulnerablecode.io/api/packages/928207?format=json","purl":"pkg:deb/debian/libphp-phpmailer@6.6.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.6.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/928210?format=json","purl":"pkg:deb/debian/libphp-phpmailer@6.9.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.9.3-1%3Fdistro=trixie"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/244803?format=json","purl":"pkg:composer/phpmailer/phpmailer@6.1.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-44d3-4txm-cyc3"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-jca1-hyks-kud3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/244804?format=json","purl":"pkg:composer/phpmailer/phpmailer@6.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-44d3-4txm-cyc3"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-jca1-hyks-kud3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/244805?format=json","purl":"pkg:composer/phpmailer/phpmailer@6.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-44d3-4txm-cyc3"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-jca1-hyks-kud3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/244806?format=json","purl":"pkg:composer/phpmailer/phpmailer@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-44d3-4txm-cyc3"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-jca1-hyks-kud3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmailer/phpmailer@6.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/571138?format=json","purl":"pkg:deb/debian/libphp-phpmailer@1.73-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-7kvh-8w1t-2kej"},{"vulnerability":"VCID-8msv-t7dq-qkd2"},{"vulnerability":"VCID-cq4m-3q7u-cbg3"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-k96h-dr15-ufhv"},{"vulnerability":"VCID-ywsv-ddhg-b7es"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@1.73-2"},{"url":"http://public2.vulnerablecode.io/api/packages/571139?format=json","purl":"pkg:deb/debian/libphp-phpmailer@1.73-2etch1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-7kvh-8w1t-2kej"},{"vulnerability":"VCID-8msv-t7dq-qkd2"},{"vulnerability":"VCID-cq4m-3q7u-cbg3"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-k96h-dr15-ufhv"},{"vulnerability":"VCID-ywsv-ddhg-b7es"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@1.73-2etch1"},{"url":"http://public2.vulnerablecode.io/api/packages/571140?format=json","purl":"pkg:deb/debian/libphp-phpmailer@1.73-6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-7kvh-8w1t-2kej"},{"vulnerability":"VCID-8msv-t7dq-qkd2"},{"vulnerability":"VCID-cq4m-3q7u-cbg3"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-ywsv-ddhg-b7es"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@1.73-6"},{"url":"http://public2.vulnerablecode.io/api/packages/571141?format=json","purl":"pkg:deb/debian/libphp-phpmailer@5.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-7kvh-8w1t-2kej"},{"vulnerability":"VCID-8msv-t7dq-qkd2"},{"vulnerability":"VCID-cq4m-3q7u-cbg3"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-ywsv-ddhg-b7es"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.1-1"},{"url":"http://public2.vulnerablecode.io/api/packages/571142?format=json","purl":"pkg:deb/debian/libphp-phpmailer@5.1-1%2Bdeb6u11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-7kvh-8w1t-2kej"},{"vulnerability":"VCID-8msv-t7dq-qkd2"},{"vulnerability":"VCID-cq4m-3q7u-cbg3"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-ywsv-ddhg-b7es"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.1-1%252Bdeb6u11"},{"url":"http://public2.vulnerablecode.io/api/packages/571143?format=json","purl":"pkg:deb/debian/libphp-phpmailer@5.1-1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-7kvh-8w1t-2kej"},{"vulnerability":"VCID-8msv-t7dq-qkd2"},{"vulnerability":"VCID-cq4m-3q7u-cbg3"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-ywsv-ddhg-b7es"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.1-1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/1036564?format=json","purl":"pkg:deb/debian/libphp-phpmailer@5.2.9%2Bdfsg-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-7kvh-8w1t-2kej"},{"vulnerability":"VCID-8msv-t7dq-qkd2"},{"vulnerability":"VCID-cq4m-3q7u-cbg3"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-ywsv-ddhg-b7es"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.2.9%252Bdfsg-2"},{"url":"http://public2.vulnerablecode.io/api/packages/1036565?format=json","purl":"pkg:deb/debian/libphp-phpmailer@5.2.9%2Bdfsg-2%2Bdeb8u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-7kvh-8w1t-2kej"},{"vulnerability":"VCID-cq4m-3q7u-cbg3"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-ywsv-ddhg-b7es"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.2.9%252Bdfsg-2%252Bdeb8u3"},{"url":"http://public2.vulnerablecode.io/api/packages/1037012?format=json","purl":"pkg:deb/debian/libphp-phpmailer@5.2.14%2Bdfsg-2.3%2Bdeb9u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"},{"vulnerability":"VCID-f585-qf89-f7f3"},{"vulnerability":"VCID-zju7-7wax-zfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@5.2.14%252Bdfsg-2.3%252Bdeb9u1"},{"url":"http://public2.vulnerablecode.io/api/packages/1052189?format=json","purl":"pkg:deb/debian/libphp-phpmailer@6.0.6-0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16kp-5zpw-fbha"},{"vulnerability":"VCID-4mjb-ur86-hkaz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libphp-phpmailer@6.0.6-0.1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36326","reference_id":"","reference_type":"","scores":[{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53731","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.5369","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53659","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53633","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.5367","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53619","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53572","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53621","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53643","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53681","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53698","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53693","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53656","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00304","scoring_system":"epss","scoring_elements":"0.53673","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00759","scoring_system":"epss","scoring_elements":"0.73295","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00759","scoring_system":"epss","scoring_elements":"0.73262","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00759","scoring_system":"epss","scoring_elements":"0.73272","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00759","scoring_system":"epss","scoring_elements":"0.73267","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00759","scoring_system":"epss","scoring_elements":"0.73303","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00759","scoring_system":"epss","scoring_elements":"0.73316","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36326"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml"},{"reference_url":"https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9"},{"reference_url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1"},{"reference_url":"https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36326","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36326"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988732","reference_id":"988732","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988732"},{"reference_url":"https://github.com/advisories/GHSA-m298-fh5c-jc66","reference_id":"GHSA-m298-fh5c-jc66","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m298-fh5c-jc66"}],"weaknesses":[{"cwe_id":502,"name":"Deserialization of Untrusted Data","description":"The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."},{"cwe_id":641,"name":"Improper Restriction of Names for Files and Other Resources","description":"The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":"0.5","weighted_severity":"9.0","risk_score":4.5,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4mjb-ur86-hkaz"}