CVE-2018-19296
Description
PHPMailer versions before 5.2.27 and 6.x before 6.0.6 are vulnerable to object injection via crafted email headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHPMailer versions before 5.2.27 and 6.x before 6.0.6 are vulnerable to object injection via crafted email headers.
Vulnerability
PHPMailer versions before 5.2.27 and 6.x before 6.0.6 contain an object injection vulnerability. The issue occurs when the library deserializes user-controllable input during email header parsing, allowing an attacker to inject arbitrary PHP objects. This affects applications that process untrusted data through PHPMailer's msgHTML() or similar methods that trigger deserialization. [1][2]
Exploitation
An attacker needs the ability to supply malicious input to PHPMailer's header processing functions, typically through crafted email content or headers. The attacker crafts a serialized payload that, when deserialized by PHPMailer, leads to object injection. No authentication or special network position is required if the application exposes PHPMailer to user-supplied data. [1]
Impact
Successful exploitation allows an attacker to inject arbitrary PHP objects, potentially leading to remote code execution (RCE), information disclosure, or other unintended behavior depending on available gadget chains in the application's environment. The attacker gains the ability to execute code at the privilege level of the web server or PHP process. [1][4]
Mitigation
Users should upgrade to PHPMailer version 5.2.27 or 6.0.6, which were released in November 2018 and contain the fix. No workarounds are known. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [2][4]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmailer/phpmailerPackagist | >= 5.0.0, < 5.2.27 | 5.2.27 |
phpmailer/phpmailerPackagist | >= 6.0.0, < 6.0.6 | 6.0.6 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
14- github.com/advisories/GHSA-7w4p-72j7-v7c2ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-19296ghsaADVISORY
- www.debian.org/security/2018/dsa-4351ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2018-19296.yamlghsaWEB
- github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27ghsax_refsource_MISCWEB
- github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6ghsax_refsource_MISCWEB
- github.com/PHPMailer/PHPMailer/security/advisories/GHSA-7w4p-72j7-v7c2ghsaWEB
- lists.debian.org/debian-lts-announce/2018/12/msg00020.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5BghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVTghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5BghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVTghsaWEB
News mentions
0No linked articles in our index yet.