A security vulnerability (CVE-2026-45070) in Symfony's MIME component allows email header injection via non-token characters in MIME parameter names. The flaw exists because Symfony validates parameter values but not parameter names, allowing attackers to inject CRLF sequences or other non-token bytes into parameter names to terminate headers and inject arbitrary additional headers. The fix, available in Symfony 5.4.52, 6.4.40, 7.4.12, and 8.0.12, makes ParameterizedHeader reject parameter names containing bytes outside the RFC token character class.
Sort: