CVE-2026-45068: Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
Symfony Mailer selects a transport via the MAILER_DSN environment variable / configuration (e.g. smtp://..., sendmail://..., native://default). SendmailTransport invokes the local sendmail binary and supports two modes: -bs (speak SMTP over stdin: the default) and -t (read the message on stdin, pass recipients as command-line arguments).
In -t mode, recipient addresses are appended to the sendmail command line without a -- end-of-options separator. A recipient address beginning with - (which Symfony\Component\Mime\Address accepts as valid) is therefore interpreted by sendmail as a command-line option rather than an address.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mailer/CVE-2026-45068.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45068.yaml
- github.com/advisories/GHSA-xx3c-qf5g-hc39
- github.com/symfony/symfony/commit/c45144862dc289d03952f41f6078174089a3afc6
- github.com/symfony/symfony/security/advisories/GHSA-xx3c-qf5g-hc39
- nvd.nist.gov/vuln/detail/CVE-2026-45068
- symfony.com/cve-2026-45068
Code Behaviors & Features
Detect and mitigate CVE-2026-45068 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →