GHSA-5vg9-5847-vvmq: Laravel Framework: CRLF injection in default email rule

June 17, 2026

A CRLF injection vulnerability in Laravel’s email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied addresses.

References

github.com/advisories/GHSA-5vg9-5847-vvmq
github.com/laravel/framework/security/advisories/GHSA-5vg9-5847-vvmq

Code Behaviors & Features

Detect and mitigate GHSA-5vg9-5847-vvmq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →