{"data":{"id":"59b1d552-6043-46e0-bafc-a4571c024083","title":"CVE-2026-45067: ### Description\n\n`Symfony\\Component\\Mime\\Address` is the value-object every Symfony Mailer address (to/cc/bcc/from/reply","summary":"A vulnerability in Symfony Mailer's Address class allowed attackers to inject email headers and SMTP commands (the protocol used to send emails) by embedding line break characters in email addresses. The constructor was supposed to validate addresses but failed to catch addresses with hidden `\\r\\n` bytes in the local-part (the text before the `@` symbol), which could be exploited to add unauthorized recipients or headers when the email was sent.","solution":"The Address constructor now rejects addresses containing line breaks. The patch is available at https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604 for branch 5.4.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-45067","publishedAt":"2026-07-14T18:17:16.847Z","cveId":"CVE-2026-45067","cweIds":["CWE-93"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Symfony"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-14T18:17:16.847Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}