CVE-2020-36326

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-36326
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36326.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-36326
Aliases
Downstream
Published
2021-04-28T03:15:07.400Z
Modified
2026-02-14T07:27:31.992178Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

References

Affected packages

Git / github.com/phpmailer/phpmailer

Affected ranges

Type
GIT
Repo
https://github.com/phpmailer/phpmailer
Events
Introduced
cca7fc22fb115c0a75cff77432afd38228f45bbb
Fixed
7830cb9a761d974e58e3173137eac93da1cd715a

Affected versions

v5.*
v5.2.0
v5.2.1
v5.2.10
v5.2.2
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36326.json"