UBUNTU-CVE-2026-45070
A vulnerability in the Symfony PHP framework's ParameterizedHeader component allows injection of additional mail headers by including CRLF or other non-token bytes in parameter names derived from untrusted input. This affects versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12. The issue is fixed in these versions.
AI Analysis
Technical Summary
Symfony's Component\Mime\Header\ParameterizedHeader validates and encodes parameter values but does not sanitize parameter names, allowing an attacker who controls parameter names derived from untrusted input to inject CRLF or other non-token bytes. This enables injection of additional headers into structured mail headers such as Content-Type or Content-Disposition. The vulnerability is resolved in Symfony versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Potential Impact
An attacker can inject additional mail headers into rendered structured mail headers, potentially manipulating email content or behavior. This could affect mail processing or delivery but does not directly imply remote code execution or system compromise based on the provided data.
Mitigation Recommendations
Upgrade Symfony to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12 or later where the issue is fixed. No vendor advisory contradicts this; patching is the recommended remediation.
UBUNTU-CVE-2026-45070
Description
A vulnerability in the Symfony PHP framework's ParameterizedHeader component allows injection of additional mail headers by including CRLF or other non-token bytes in parameter names derived from untrusted input. This affects versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12. The issue is fixed in these versions.
CVSS v4.0
Affected software
pkg:deb/ubuntu/[email protected]?arch=source&distro=xenialpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu0.1+esm2?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu1+esm2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu8+esm1?arch=source&distro=esm-apps/jammypkg:deb/ubuntu/[email protected]+dfsg-3ubuntu3+esm1?arch=source&distro=esm-apps/noblepkg:deb/ubuntu/[email protected]+dfsg-1?arch=source&distro=questingpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu1?arch=source&distro=resoluteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Symfony's Component\Mime\Header\ParameterizedHeader validates and encodes parameter values but does not sanitize parameter names, allowing an attacker who controls parameter names derived from untrusted input to inject CRLF or other non-token bytes. This enables injection of additional headers into structured mail headers such as Content-Type or Content-Disposition. The vulnerability is resolved in Symfony versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Potential Impact
An attacker can inject additional mail headers into rendered structured mail headers, potentially manipulating email content or behavior. This could affect mail processing or delivery but does not directly imply remote code execution or system compromise based on the provided data.
Mitigation Recommendations
Upgrade Symfony to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12 or later where the issue is fixed. No vendor advisory contradicts this; patching is the recommended remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- UBUNTU-CVE-2026-45070
- Osv Schema Version
- 1.7.0
- Aliases
- []
- Ecosystems
- ["Ubuntu:16.04:LTS","Ubuntu:Pro:18.04:LTS","Ubuntu:Pro:20.04:LTS","Ubuntu:Pro:22.04:LTS","Ubuntu:Pro:24.04:LTS","Ubuntu:25.10","Ubuntu:26.04:LTS"]
- Database Specific Severity
- null
- Cvss Version
- 4.0
Threat ID: 6a58b4b168715ace43da959b
Added to database: 07/16/2026, 10:38:41 UTC
Last enriched: 07/16/2026, 12:48:40 UTC
Last updated: 07/16/2026, 12:48:40 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.