UBUNTU-CVE-2026-45068
Symfony PHP framework versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12 contain a vulnerability in SendmailTransport when used in -t mode. The issue occurs because recipient addresses are appended to the sendmail command line without a -- end-of-options separator, allowing addresses starting with a dash (-) to be misinterpreted as sendmail command-line options. This vulnerability has been fixed in the specified versions.
AI Analysis
Technical Summary
The vulnerability in Symfony's SendmailTransport component affects versions before 5.4.52, 6.4.40, 7.4.12, and 8.0.12. When operating in -t mode, recipient addresses are appended directly to the sendmail command line without a -- separator to indicate the end of options. This allows an attacker to craft an address beginning with a dash (-) that could be interpreted as a sendmail command-line option, potentially altering sendmail's behavior. The issue is resolved by adding the proper end-of-options separator in the fixed versions.
Potential Impact
An attacker could exploit this vulnerability by supplying a recipient address starting with a dash (-), which may be interpreted as a sendmail command-line option rather than a recipient address. This could lead to unintended command-line behavior of the sendmail process invoked by Symfony, potentially affecting mail delivery or enabling other command-line option abuses. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
A fix is available in Symfony versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. Users should upgrade to these or later versions to remediate the vulnerability. No vendor advisory indicating alternative mitigations or no-action was provided, so upgrading is the recommended remediation.
UBUNTU-CVE-2026-45068
Description
Symfony PHP framework versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12 contain a vulnerability in SendmailTransport when used in -t mode. The issue occurs because recipient addresses are appended to the sendmail command line without a -- end-of-options separator, allowing addresses starting with a dash (-) to be misinterpreted as sendmail command-line options. This vulnerability has been fixed in the specified versions.
CVSS v4.0
Affected software
pkg:deb/ubuntu/[email protected]?arch=source&distro=xenialpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu0.1+esm2?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu1+esm2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu8+esm1?arch=source&distro=esm-apps/jammypkg:deb/ubuntu/[email protected]+dfsg-3ubuntu3+esm1?arch=source&distro=esm-apps/noblepkg:deb/ubuntu/[email protected]+dfsg-1?arch=source&distro=questingpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu1?arch=source&distro=resoluteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Symfony's SendmailTransport component affects versions before 5.4.52, 6.4.40, 7.4.12, and 8.0.12. When operating in -t mode, recipient addresses are appended directly to the sendmail command line without a -- separator to indicate the end of options. This allows an attacker to craft an address beginning with a dash (-) that could be interpreted as a sendmail command-line option, potentially altering sendmail's behavior. The issue is resolved by adding the proper end-of-options separator in the fixed versions.
Potential Impact
An attacker could exploit this vulnerability by supplying a recipient address starting with a dash (-), which may be interpreted as a sendmail command-line option rather than a recipient address. This could lead to unintended command-line behavior of the sendmail process invoked by Symfony, potentially affecting mail delivery or enabling other command-line option abuses. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
A fix is available in Symfony versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. Users should upgrade to these or later versions to remediate the vulnerability. No vendor advisory indicating alternative mitigations or no-action was provided, so upgrading is the recommended remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- UBUNTU-CVE-2026-45068
- Osv Schema Version
- 1.7.0
- Aliases
- []
- Ecosystems
- ["Ubuntu:16.04:LTS","Ubuntu:Pro:18.04:LTS","Ubuntu:Pro:20.04:LTS","Ubuntu:Pro:22.04:LTS","Ubuntu:Pro:24.04:LTS","Ubuntu:25.10","Ubuntu:26.04:LTS"]
- Database Specific Severity
- null
- Cvss Version
- 4.0
Threat ID: 6a58b4b168715ace43da95b6
Added to database: 07/16/2026, 10:38:41 UTC
Last enriched: 07/16/2026, 12:49:11 UTC
Last updated: 07/16/2026, 12:49:11 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.