CVE-2026-45067: ### Description `Symfony\Component\Mime\Address` is the value-object every Symfony Mailer address (to/cc/bcc/from/reply
Summary
A vulnerability in Symfony Mailer's Address class allowed attackers to inject email headers and SMTP commands (the protocol used to send emails) by embedding line break characters in email addresses. The constructor was supposed to validate addresses but failed to catch addresses with hidden `\r\n` bytes in the local-part (the text before the `@` symbol), which could be exploited to add unauthorized recipients or headers when the email was sent.
Solution / Mitigation
The Address constructor now rejects addresses containing line breaks. The patch is available at https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604 for branch 5.4.
Vulnerability Details
EPSS: 0.0%
July 14, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
GHSA-382c-vx95-w3p5: Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
CVE-2026-2589: The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-45067
First tracked: July 14, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 75%