Unpatched PHPMailer Vulnerability Exposes Email Sending Capabilities

UNKNOWN No Patch (2837 days)
apachecode-injectionemail-sending-capabilitiesphpmailer

Threat Intelligence

Low Risk
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

PHPMailer is a popular open-source library used to send emails in PHP applications. This vulnerability allows attackers to execute arbitrary commands on the server by sending malicious email attachments or HTML content, potentially leading to code injection and further exploitation.

Am I affected?

You're affected if you use PHPMailer version 5.2.0 through 5.4.0. Check with: grep -q "PHPMailer" /usr/lib/php/20131226/phpmailer.php or in your project's composer.json file, run composer show phpmailer/phpmailer --version

Affected Products

PHPMailer Project / PHPMailer

How to fix

  1. Upgrade to PHPMailer version 5.6.0 or later from the official GitHub repository: https://github.com/PHPMailer/PHPMailer/releases/tag/v5.6.0
  2. If immediate upgrade isn't possible, disable the smtp transport in your configuration file (e.g., phpmailer.php) to prevent sending emails.