PHPMailer versions 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). The vulnerability arises when the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and if the global namespace contains a function named php, it will be called over the built-in validator of the same name. This vulnerability has been mitigated in PHPMailer version 6.5.0 by denying the use of simple strings as validator function names.
The CVSS score for this vulnerability is 8.1, categorizing it as high severity. This classification is critical as it indicates potential for significant impact to confidentiality, integrity, and availability. The risk to organizations includes unauthorized code execution, which could lead to data breaches and system compromises.
As of now, there are no known exploits or public proof-of-concept (PoC) available for this vulnerability. However, organizations should prioritize patching immediately to mitigate potential risks.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)