Arbitrary Argument Injection Affecting symfony/mailer package, versions <5.4.52>=6.0.0-BETA1, <6.4.40>=7.0.0-BETA1, <7.4.12>=8.0.0-BETA1, <8.0.12
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-SYMFONYMAILER-16873898
- published24 May 2026
- disclosed20 May 2026
- creditClaude Mythos
Introduced: 20 May 2026
NewCVE-2026-45068 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade symfony/mailer to version 5.4.52, 6.4.40, 7.4.12, 8.0.12 or higher.
Overview
Affected versions of this package are vulnerable to Arbitrary Argument Injection via recipient handling in SendmailTransport when using sendmail -t mode. An attacker can inject arbitrary sendmail command-line options by supplying a recipient address beginning with -, as recipient addresses are appended to the sendmail command without a -- end-of-options separator.