GHSA-xx3c-qf5g-hc39
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
Details
### Description
Symfony Mailer selects a transport via the `MAILER_DSN` environment variable / configuration (e.g. `smtp://...`, `sendmail://...`, `native://default`). `SendmailTransport` invokes the local `sendmail` binary and supports two modes: `-bs` (speak SMTP over stdin: the default) and `-t` (read the message on stdin, pass recipients as command-line arguments).
In `-t` mode, recipient addresses are appended to the sendmail command line **without a `--` end-of-options separator**. A recipient address beginning with `-` (which `Symfony\Component\Mime\Address` accepts as valid) is therefore interpreted by sendmail as a command-line option rather than an address.
### Resolution
The `SendmailTransport` transport now ensure `--` is set before the list of recipients.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c45144862dc289d03952f41f6078174089a3afc6) for branch 5.4.
### Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 5.4.52 composer require symfony/mailer:^5.4.52 0 Fixed in: 5.4.52 composer require symfony/symfony:^5.4.52 6.0.0 Fixed in: 6.4.40 composer require symfony/mailer:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/mailer:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/mailer:^8.0.12 6.0.0 Fixed in: 6.4.40 composer require symfony/symfony:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-xx3c-qf5g-hc39 [WEB]
- https://github.com/symfony/symfony/commit/c45144862dc289d03952f41f6078174089a3afc6 [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mailer/CVE-2026-45068.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45068.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45068 [WEB]