CVE-2026-45068

Name of the Vulnerable Software and Affected Versions Symfony Mailer (affected versions not specified)

Description When using SendmailTransport in -t mode, recipient addresses are appended to the sendmail command line without a -- end-of-options separator. Because SymfonyComponentMimeAddress accepts addresses starting with a hyphen, a recipient address beginning with - can be interpreted by the sendmail binary as a command-line option instead of an email address. This occurs when the transport is configured via the MAILER DSN environment variable.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.