Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN567
_____________________________________________________________________

DATE                : 01/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running laravel/framework (Composer)
                         versions prior to 12.60.0, 13.10.0.

=====================================================================
https://github.com/laravel/framework/security/advisories/GHSA-5vg9-5847-vvmq
_____________________________________________________________________


CRLF injection in default email rule
High
andrei-laravel published GHSA-5vg9-5847-vvmq Jun 1, 2026

Package
laravel/framework (Composer)

Affected versions
<= 13.9.0
< 12.60.0

Patched versions
>= 13.10.0
>= 12.60.0


Description

Summary

A CRLF injection vulnerability in Laravel's email validation, in
combination with how Symfony Mailer and Symfony Mime handle certain
character sequences, may allow an unauthenticated attacker to interfere
with outbound email processing in applications that send mail to
user-supplied addresses.


Description

Laravel applications that send email to addresses provided by users — for
example during authentication flows or contact forms — may be vulnerable
to manipulation of outbound mail content if the address is not adequately
sanitized before it reaches the mail transport layer.
An attacker who can supply an email address to such a flow may, under
certain conditions, be able to influence the content of emails sent by
the application, cause those emails to be delivered to unintended
recipients, or cause the application's mail server to send unintended
messages.


Impact

Affected applications may be exposed to unauthorized access and mail relay
abuse. The severity depends on what the application sends by email and how
its mail infrastructure is configured.


Remediation

Upgrade to version 12.60.0 or later, or 13.10.0 or later.


Severity
High
8.9/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

CVE ID
CVE-2026-48019

Weaknesses
Weakness CWE-93

Credits

    @OmarXtream OmarXtream Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================