CVE-2020-36326

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-36326
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36326.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-36326
Aliases
Downstream
Published
2021-04-28T03:15:07.400Z
Modified
2026-03-15T14:40:25.948914Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

References

Affected packages

Git / github.com/phpmailer/phpmailer

Affected ranges

Type
GIT
Repo
https://github.com/phpmailer/phpmailer
Events
Introduced
917ab212fa00dc6eacbb26e8bc387ebe40993bc1
Last affected
050d430203105c27c30efd1dce7aa421ad882d01
Introduced
cca7fc22fb115c0a75cff77432afd38228f45bbb
Fixed
7830cb9a761d974e58e3173137eac93da1cd715a
Fixed
e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
Database specific 
{
    "versions": [
        {
            "introduced": "6.1.8"
        },
        {
            "last_affected": "6.4.0"
        },
        {
            "introduced": "5.2"
        },
        {
            "fixed": "5.2.11"
        }
    ]
}
Type
GIT
Repo
https://github.com/wordpress/wordpress
Events
Introduced
3921fd373acaeeeee2029f762b676075cf375b33
Fixed
bcffb1781f8e2cbea477ffa2c7a36f350f848462
Introduced
36470a480cac07d34a355e9f8a9409c1349b6e07
Fixed
14e8e38b4d8342658d81b49af4107c01054d233a
Introduced
54a3b49fa91b7beeb3da2f448154f9e75f005a9a
Fixed
b6c89b03759e34e73d8e7fffee16bbb3ac9976d9
Introduced
842221094a5011886291b21fd7c705835d69e0bc
Fixed
84cc95255d9c4c918961e155868ac955f50d7522
Introduced
e5e791f331d371ad6262c1893d84f5f2b6c26464
Fixed
a93620839832022c93c2eb4a3ca5656efdd854c6
Introduced
87bf150016e042bc3e21f2f1cb9de44042b8cdb1
Fixed
159ad7daa6a58746273cf7f2df1fdfeff048f66c
Introduced
b57f3aa5f00a127f209eff74b78787dd3fd5ed4d
Fixed
b0b7f820ac48b76ed1f187f6f4b0a4f544982f6c
Introduced
f6a29831c76d2dbe82e9ae673539f910654c58a4
Fixed
9adffddd5206760a8daec6dafe3d129cbeacfb1a
Introduced
e3aafee3f2bc07e09bf79389f20ea3db731466c3
Fixed
12947925e6ab71deeee25e5bdf752093b7d75071
Introduced
fe47e6139dbfc0f0c9ce0d79da77926b5fceaa77
Fixed
151f188b2ae430a22e47caa0be374cba783881dd
Introduced
14247ee4302378d292863865c643abe99bbfe3c7
Fixed
1fd23a61d649934a4315d79010e0765cd0b90fec
Introduced
06fa4161aa74619239cf27017d124081c825684a
Fixed
20f902f0979a24881423944395d7e0c192f576d1
Introduced
29ffbff370968ae48a1b7a34e35c8b8e75cf0f91
Fixed
c760c68c6f1361cc84513b349196113fae9ad055
Introduced
491c67be12ca8a9fe37ae38307ba7e298c976ec3
Fixed
ce3f48741b15676261a064e204663903e783869b
Introduced
c33464a4554cff8a082bc353d9226d8104b80d2b
Fixed
56691d83d2f9196193ab64f0a473c1e38eefa316
Introduced
50dc0ca5bb332c895f0f39fe4e6ee1e4a43e06dc
Fixed
1d26e6b860ca3a615f1eb6a4d2632efa7b6d6ce1
Introduced
9ff4499281663b0c772787fd4a60538288f842e9
Fixed
f6e7d574f8f53ad70eef2268820c23d1fe7ed48f
Introduced
537fd931bc02e6e934a2d774422b897871aa87ad
Fixed
e2b6790d13fec0be8eeff4987aace0c9fec1ea50
Introduced
965fcddcf68cf4fd122ae24b992e242dfea1d773
Fixed
0742715a2eb695b3a5c9f77ce3d559d450ea7bc5
Introduced
058f9903676a7efaee534a682df0a2a8b87574d8
Fixed
473295ab123b35ed54104b599f12f9e8b5e97283
Database specific 
{
    "versions": [
        {
            "introduced": "3.7"
        },
        {
            "fixed": "3.7.36"
        },
        {
            "introduced": "3.8"
        },
        {
            "fixed": "3.8.36"
        },
        {
            "introduced": "3.9"
        },
        {
            "fixed": "3.9.34"
        },
        {
            "introduced": "4.0"
        },
        {
            "fixed": "4.0.33"
        },
        {
            "introduced": "4.1"
        },
        {
            "fixed": "4.1.33"
        },
        {
            "introduced": "4.2"
        },
        {
            "fixed": "4.2.30"
        },
        {
            "introduced": "4.3"
        },
        {
            "fixed": "4.3.26"
        },
        {
            "introduced": "4.4"
        },
        {
            "fixed": "4.4.25"
        },
        {
            "introduced": "4.5"
        },
        {
            "fixed": "4.5.24"
        },
        {
            "introduced": "4.6"
        },
        {
            "fixed": "4.6.21"
        },
        {
            "introduced": "4.7"
        },
        {
            "fixed": "4.7.21"
        },
        {
            "introduced": "4.8"
        },
        {
            "fixed": "4.8.17"
        },
        {
            "introduced": "4.9"
        },
        {
            "fixed": "4.9.18"
        },
        {
            "introduced": "5.0"
        },
        {
            "fixed": "5.0.13"
        },
        {
            "introduced": "5.1"
        },
        {
            "fixed": "5.1.10"
        },
        {
            "introduced": "5.3"
        },
        {
            "fixed": "5.3.8"
        },
        {
            "introduced": "5.4"
        },
        {
            "fixed": "5.4.6"
        },
        {
            "introduced": "5.5"
        },
        {
            "fixed": "5.5.5"
        },
        {
            "introduced": "5.6"
        },
        {
            "fixed": "5.6.4"
        },
        {
            "introduced": "5.7"
        },
        {
            "fixed": "5.7.2"
        }
    ]
}

Affected versions

v6.*
v6.1.8

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36326.json"