Unpatched PHPMailer Vulnerability

UNKNOWN No Patch (2837 days)
arbitrary-code-executionemail-libraryphpphpmailer

Threat Intelligence

Low Risk
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

PHPMailer is a popular open-source library used for sending emails in PHP applications. This vulnerability allows attackers to inject malicious code into email bodies, potentially leading to arbitrary code execution on the server.

Am I affected?

You're affected if you use PHPMailer version 5.2.0 or earlier. Check with: grep -r "PHPMailer" . (search for PHPMailer in your project's files)

Note: This vulnerability is similar to CVE-2019-2523, but the specific PHPMailer version and behavior differ.

Affected Packages

cargo: serde nuget: Newtonsoft.Json pypi: requests

Affected Products

PHPMailer Project / PHPMailer

How to fix

  1. Upgrade to PHPMailer 5.2.7 or later from https://github.com/PHPMailer/PHPMailer.
  2. If upgrading isn't possible, immediately apply the following mitigations:
  3. Disable the smtp extension in your PHP configuration.
  4. Set the SMTPAutoAuthMode to 0 (disable auto-auth mode) in your PHPMailer settings.