← Back to CVE List

CVE-2020-36326

Published: 2021-04-28T03:15Z
Last Modified: 2024-11-21T05:29Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt