{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45067/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["symfony/mime","symfony/symfony"],"_cs_severities":["high"],"_cs_tags":["crlf-injection","email-injection","symfony","CVE-2026-45067"],"_cs_type":"threat","_cs_vendors":["Symfony"],"content_html":"\u003cp\u003eSymfony, a popular PHP framework, is affected by a critical vulnerability in its Mime component. Specifically, the \u003ccode\u003eSymfony\\Component\\Mime\\Address\u003c/code\u003e class, responsible for validating and handling email addresses, fails to properly sanitize or reject addresses containing CRLF characters (\u003ccode\u003e\\r\\n\u003c/code\u003e). This flaw allows an attacker to inject arbitrary email headers or even execute unauthorized SMTP commands by crafting a malicious email address. The vulnerability impacts applications using vulnerable versions of \u003ccode\u003esymfony/mime\u003c/code\u003e and \u003ccode\u003esymfony/symfony\u003c/code\u003e, potentially leading to spoofing, spamming, or other malicious activities. Versions affected include those prior to 5.4.52, versions 6.0.0 to before 6.4.40, versions 7.0.0 to before 7.4.12 and versions 8.0.0 to before 8.0.12. This vulnerability is identified as CVE-2026-45067 and has a severity rating of High.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious email address containing CRLF characters within the local-part (before the @ symbol), such as \u003ccode\u003e\u0026quot;x\\r\\nBcc: attacker@evil\u0026quot;@example.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Symfony application accepts this email address through a form, API, or other input vector, passing it to the \u003ccode\u003eSymfony\\Component\\Mime\\Address\u003c/code\u003e constructor.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAddress\u003c/code\u003e constructor, instead of rejecting the address, stores it verbatim.\u003c/li\u003e\n\u003cli\u003eThe application uses the stored email address in the \u0026ldquo;To,\u0026rdquo; \u0026ldquo;From,\u0026rdquo; \u0026ldquo;CC,\u0026rdquo; or \u0026ldquo;BCC\u0026rdquo; fields of an email message.\u003c/li\u003e\n\u003cli\u003eWhen the email message is rendered, the injected CRLF characters create a new header, such as \u0026ldquo;Bcc: attacker@evil,\u0026rdquo; effectively adding the attacker to the recipient list.\u003c/li\u003e\n\u003cli\u003eIf the application uses \u003ccode\u003eSmtpTransport\u003c/code\u003e, the malicious address is also passed to the \u003ccode\u003eMAIL FROM:\u0026lt;...\u0026gt;\u003c/code\u003e or \u003ccode\u003eRCPT TO:\u0026lt;...\u0026gt;\u003c/code\u003e commands.\u003c/li\u003e\n\u003cli\u003eThe SMTP server interprets the injected CRLF as a command separator, potentially allowing the attacker to execute arbitrary SMTP commands.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully injects headers or commands, leading to unauthorized email delivery, spoofing, or other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to inject arbitrary email headers, potentially leading to the distribution of spam or phishing emails that appear to originate from a trusted source. Furthermore, the ability to inject SMTP commands could allow attackers to bypass security measures and gain unauthorized access to email servers. The number of affected applications is potentially large, given the widespread use of Symfony in web development. If exploited, this vulnerability could lead to significant reputational damage, financial losses, and legal liabilities for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Symfony \u003ccode\u003esymfony/mime\u003c/code\u003e and \u003ccode\u003esymfony/symfony\u003c/code\u003e version 5.4.52 or higher, 6.4.40 or higher, 7.4.12 or higher, or 8.0.12 or higher to apply the patch that rejects addresses containing line breaks (see resolution details in the overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect attempts to exploit this vulnerability by identifying email addresses containing CRLF characters in application logs.\u003c/li\u003e\n\u003cli\u003eReview and audit any code that processes or handles email addresses to ensure proper input validation and sanitization techniques are employed, as an additional layer of defense.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T20:42:55Z","date_published":"2026-05-27T20:42:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-symfony-crlf-injection/","summary":"Symfony's Mime Address component is susceptible to email header and SMTP command injection due to accepting CRLF characters within email addresses, leading to potential header manipulation or unauthorized SMTP commands in symfony/mime and symfony/symfony versions prior to 5.4.52, versions 6.0.0 to before 6.4.40, versions 7.0.0 to before 7.4.12 and versions 8.0.0 to before 8.0.12.","title":"Symfony Email Header / SMTP Command Injection via CRLF Characters","url":"https://feed.craftedsignal.io/briefs/2026-05-symfony-crlf-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-45067","version":"https://jsonfeed.org/version/1.1"}