VulnerableCode Package Details - pkg:deb/debian/libphp-phpmailer@6.2.0-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-377c-stcv-abgs Aliases: CVE-2021-3603 GHSA-77mr-wc79-m8j3	PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.	6.6.3-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-377c-stcv-abgs
Aliases:
CVE-2021-3603
GHSA-77mr-wc79-m8j3

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.

6.6.3-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-vc72-ptj1-kyh4	PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.	CVE-2020-13625 GHSA-f7hx-fqxw-rvvj
VCID-vqjk-32b7-zkgz	Object injection in PHPMailer/PHPMailer ### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like any kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in any PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to all user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.	CVE-2020-36326 GHSA-m298-fh5c-jc66

Vulnerability

Summary

Aliases

VCID-vc72-ptj1-kyh4

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

CVE-2020-13625
GHSA-f7hx-fqxw-rvvj

VCID-vqjk-32b7-zkgz

Object injection in PHPMailer/PHPMailer ### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.

CVE-2020-36326
GHSA-m298-fh5c-jc66

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T16:30:22.730276+00:00	Debian Oval Importer	Fixing	VCID-vc72-ptj1-kyh4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:10:10.654155+00:00	Debian Oval Importer	Fixing	VCID-vqjk-32b7-zkgz	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:40:37.219125+00:00	Debian Importer	Affected by	VCID-377c-stcv-abgs	https://security-tracker.debian.org/tracker/data/json	37.0.0