Vulnerability in Symfony

CVE-2026-45067

### Description `Symfony\Component\Mime\Address` is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developer…

Vulnerability class: CRLF Injection

Affected products

  • Symfony — versions < 5.4.52, >= 6.0.0-BETA1, < 6.4.40, >= 7.0.0-BETA1, < 7.4.12

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2026-45067?
CVE-2026-45067 is a vulnerability in Symfony, classified under CRLF Injection. Published 2026-07-14.
Is CVE-2026-45067 known to be exploited?
1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.