CVE-2026-45067

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.21

Description The SymfonyComponentMimeAddress constructor fails to properly validate email addresses when the local-part is a quoted string containing raw carriage return and line feed (r ) bytes. This allows an attacker to embed CRLF sequences, which are later emitted verbatim into rendered message headers and SmtpTransport protocol lines such as MAIL FROM:<...> and RCPT TO:<...>. This behavior can lead to the injection of new mail headers or additional SMTP commands.

Recommendations Update to version 5.4.21 or later.