Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-r9mw-gwx9-v3h5

GitHub Security Advisory

zend-mail remote code execution via Sendmail adapter

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Affected Packages

Packagist zendframework/zend-mail
Affected versions: 0 (fixed in 2.4.11)
Packagist zendframework/zend-mail
Affected versions: 2.5 (last affected: 2.5.2)
Packagist zendframework/zend-mail
Affected versions: 2.6 (last affected: 2.6.2)
Packagist zendframework/zend-mail
Affected versions: 2.7 (fixed in 2.7.2)

Related CVEs

CVE-2016-10034

Key Information

GHSA ID
GHSA-r9mw-gwx9-v3h5
Published
May 14, 2022 2:19 AM
Last Modified
April 23, 2024 11:13 PM
CVSS Score
9.0 /10
Primary Ecosystem
Packagist
Primary Package
zendframework/zend-mail
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 29, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.