CVE-2020-36326

CRITICAL

PHPMailer 6.1.8-6.4.0 - Object Injection via addAttachment UNC Pathname

Title source: llm

Description

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9

View Patch ZIP pw:eip

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/

Scores

CVSS v3 9.8

EPSS 0.0030

EPSS Percentile 53.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (3)

phpmailer/phpmailer 6.1.8 - 6.4.1Packagist

phpmailer_project/phpmailer 6.1.8 - 6.4.0

wordpress/wordpress 3.7 - 3.7.36

Published Apr 28, 2021

Tracked Since Feb 18, 2026