VYPR
High severity8.1NVD Advisory· Published Nov 15, 2017· Updated Jun 17, 2026

CVE-2017-15806

CVE-2017-15806

Description

The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
zetacomponents/mailPackagist
< 1.8.21.8.2

Affected products

2

Patches

Vulnerability mechanics

References

12

News mentions

0

No linked articles in our index yet.