Vulnerability in Symfony
CVE-2026-45067
### Description `Symfony\Component\Mime\Address` is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developer…
Vulnerability class: CRLF Injection
Affected products
- Symfony — versions < 5.4.52, >= 6.0.0-BETA1, < 6.4.40, >= 7.0.0-BETA1, < 7.4.12
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-45067?
- CVE-2026-45067 is a vulnerability in Symfony, classified under CRLF Injection. Published 2026-07-14.
- Is CVE-2026-45067 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.