CVE-2016-10045 — CVSS 9.8 (critical): The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently…
CVE-2020-36326 — CVSS 9.8 (critical): PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is…
CVE-2021-3603 — CVSS 8.1 (high): PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host…
CVE-2021-34551 — CVSS 8.1 (high): PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.
CVE-2020-13625 — CVSS 7.5 (high): PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can…
CVE-2017-11503 — CVSS 6.1 (medium): PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.
CVE-2017-5223 — CVSS 5.5 (medium): An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it…
CVE-2015-8476 — CVSS 5.0 (medium): Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in…