Low severityNVD Advisory· Published Dec 16, 2015· Updated May 6, 2026
CVE-2015-8476
CVE-2015-8476
Description
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmailer/phpmailerPackagist | >= 5.0.0, < 5.2.14 | 5.2.14 |
Affected products
4cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Patches
16687a96a18b8Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-738m-f33v-qc2rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-8476ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.htmlnvdWEB
- www.debian.org/security/2015/dsa-3416nvdWEB
- www.openwall.com/lists/oss-security/2015/12/04/5nvdWEB
- www.openwall.com/lists/oss-security/2015/12/05/1nvdWEB
- www.securityfocus.com/bid/78619nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2015-8476.yamlghsaWEB
- github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0nvdWEB
- github.com/PHPMailer/PHPMailer/security/advisories/GHSA-738m-f33v-qc2rghsaWEB
News mentions
0No linked articles in our index yet.