{"id":"CVE-2020-36326","details":"PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.","aliases":["BIT-phpmailer-2020-36326","BIT-wordpress-2020-36326","BIT-wordpress-multisite-2020-36326","GHSA-m298-fh5c-jc66"],"modified":"2026-05-18T21:45:37.759112Z","published":"2021-04-28T03:15:07.400Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/"},{"type":"FIX","url":"https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpmailer/phpmailer","events":[{"introduced":"917ab212fa00dc6eacbb26e8bc387ebe40993bc1"},{"last_affected":"050d430203105c27c30efd1dce7aa421ad882d01"}],"database_specific":{"extracted_events":[{"introduced":"6.1.8"},{"last_affected":"6.4.0"}],"cpe":"cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["v6.4.0","v6.3.0","v6.2.0","v6.1.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36326.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"3921fd373acaeeeee2029f762b676075cf375b33"},{"fixed":"bcffb1781f8e2cbea477ffa2c7a36f350f848462"},{"introduced":"36470a480cac07d34a355e9f8a9409c1349b6e07"},{"fixed":"14e8e38b4d8342658d81b49af4107c01054d233a"},{"introduced":"54a3b49fa91b7beeb3da2f448154f9e75f005a9a"},{"fixed":"b6c89b03759e34e73d8e7fffee16bbb3ac9976d9"},{"introduced":"842221094a5011886291b21fd7c705835d69e0bc"},{"fixed":"84cc95255d9c4c918961e155868ac955f50d7522"},{"introduced":"e5e791f331d371ad6262c1893d84f5f2b6c26464"},{"fixed":"a93620839832022c93c2eb4a3ca5656efdd854c6"},{"introduced":"87bf150016e042bc3e21f2f1cb9de44042b8cdb1"},{"fixed":"159ad7daa6a58746273cf7f2df1fdfeff048f66c"},{"introduced":"b57f3aa5f00a127f209eff74b78787dd3fd5ed4d"},{"fixed":"b0b7f820ac48b76ed1f187f6f4b0a4f544982f6c"},{"introduced":"f6a29831c76d2dbe82e9ae673539f910654c58a4"},{"fixed":"9adffddd5206760a8daec6dafe3d129cbeacfb1a"},{"introduced":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"},{"fixed":"12947925e6ab71deeee25e5bdf752093b7d75071"},{"introduced":"fe47e6139dbfc0f0c9ce0d79da77926b5fceaa77"},{"fixed":"151f188b2ae430a22e47caa0be374cba783881dd"},{"introduced":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"1fd23a61d649934a4315d79010e0765cd0b90fec"},{"introduced":"06fa4161aa74619239cf27017d124081c825684a"},{"fixed":"20f902f0979a24881423944395d7e0c192f576d1"},{"introduced":"29ffbff370968ae48a1b7a34e35c8b8e75cf0f91"},{"fixed":"c760c68c6f1361cc84513b349196113fae9ad055"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"ce3f48741b15676261a064e204663903e783869b"},{"introduced":"c33464a4554cff8a082bc353d9226d8104b80d2b"},{"fixed":"56691d83d2f9196193ab64f0a473c1e38eefa316"},{"introduced":"6fe64752be3260f2a47f38e68c2cb77400e5a0c9"},{"fixed":"c7eba67186ab7b8c70f55192136094328591e078"},{"introduced":"50dc0ca5bb332c895f0f39fe4e6ee1e4a43e06dc"},{"fixed":"1d26e6b860ca3a615f1eb6a4d2632efa7b6d6ce1"},{"introduced":"9ff4499281663b0c772787fd4a60538288f842e9"},{"fixed":"f6e7d574f8f53ad70eef2268820c23d1fe7ed48f"},{"introduced":"537fd931bc02e6e934a2d774422b897871aa87ad"},{"fixed":"e2b6790d13fec0be8eeff4987aace0c9fec1ea50"},{"introduced":"965fcddcf68cf4fd122ae24b992e242dfea1d773"},{"fixed":"0742715a2eb695b3a5c9f77ce3d559d450ea7bc5"},{"introduced":"058f9903676a7efaee534a682df0a2a8b87574d8"},{"fixed":"473295ab123b35ed54104b599f12f9e8b5e97283"}],"database_specific":{"extracted_events":[{"introduced":"3.7"},{"fixed":"3.7.36"},{"introduced":"3.8"},{"fixed":"3.8.36"},{"introduced":"3.9"},{"fixed":"3.9.34"},{"introduced":"4.0"},{"fixed":"4.0.33"},{"introduced":"4.1"},{"fixed":"4.1.33"},{"introduced":"4.2"},{"fixed":"4.2.30"},{"introduced":"4.3"},{"fixed":"4.3.26"},{"introduced":"4.4"},{"fixed":"4.4.25"},{"introduced":"4.5"},{"fixed":"4.5.24"},{"introduced":"4.6"},{"fixed":"4.6.21"},{"introduced":"4.7"},{"fixed":"4.7.21"},{"introduced":"4.8"},{"fixed":"4.8.17"},{"introduced":"4.9"},{"fixed":"4.9.18"},{"introduced":"5.0"},{"fixed":"5.0.13"},{"introduced":"5.1"},{"fixed":"5.1.10"},{"introduced":"5.2"},{"fixed":"5.2.11"},{"introduced":"5.3"},{"fixed":"5.3.8"},{"introduced":"5.4"},{"fixed":"5.4.6"},{"introduced":"5.5"},{"fixed":"5.5.5"},{"introduced":"5.6"},{"fixed":"5.6.4"},{"introduced":"5.7"},{"fixed":"5.7.2"}],"cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36326.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress-develop","events":[{"introduced":"f1d358137f7ed657db6afec1b1eca0b9f7814e25"},{"fixed":"48daa917c86b7b0c33d12f775ff81ae65353b006"},{"introduced":"36e5687edb263228eb912d542ebad988e0672beb"},{"fixed":"978b5eb0d0cbebbf7c28425d542fa6f052decf83"},{"introduced":"c1b5c599c9d8d83ba3a1dcfe31570d1b0f6b4c3e"},{"fixed":"36c12857cc75a5d7b7196a07ef7517fd149df914"},{"introduced":"a3a0dab49ed5b740b3f05e48b06b0b259641e2d0"},{"fixed":"8b03abf5ace8d0be9236b80b1caa5a92770ca00f"},{"introduced":"470529c2bf211450e91f01ceadaa9fc97a2b4031"},{"fixed":"7f99c5dfbf68a9d2ac70a0fee81a49b9a7aeb15f"},{"introduced":"7b07c0ccc7453ce057e009ffa65f12a02ce7d2ee"},{"fixed":"1cab2e94d8e4aea62824c781e1bb6fd5b553fa9e"},{"introduced":"ec8826ed50f8ce0eea39900eeeba09a9d621f00e"},{"fixed":"084ab910eebca6a880a237ae27b0fe89404709ba"},{"introduced":"b5f6ca5af6e29fe5df7a65d512b177fa465cfa2e"},{"fixed":"7ad46e98516e73cae5694315f3a11f50aa0886e4"},{"introduced":"7acf453090c10537e6f41fc4cf2608d7bbcce8ca"},{"fixed":"eb78a61b03ba9f02cf80ef8bcd231cdb785199d5"},{"introduced":"7c76a1b79e21176b176b5b6d6b03151f8eea4b55"},{"fixed":"2609c6c6aaa91f6f6435f6709396399c9f6660dc"},{"introduced":"efa83f48bd4ebd066e5efc94b9feefe50e7925a2"},{"fixed":"28d3a6943fb2d0b04e468333f5c3213a389f244a"},{"introduced":"2ac9b801ef5c18accf223b093529dacfcf809133"},{"fixed":"c5bba6608f6a4310bf2ec6927839aaff14183303"},{"introduced":"31f7ece8503f0dc6ef1df2473ae3f3d352973e12"},{"fixed":"0d54dbe9d4d129226bdcaa6be910b735f52e361c"},{"introduced":"b3bf6266acd61682bc654845f621b4426645e324"},{"fixed":"b11241766ba77577b71a37adaf290e6d2321ca0d"},{"introduced":"5aa596fee9bf6ea7f0ccc2ed51b16c0f2f04076b"},{"fixed":"7415a5b31a3eec60685abaceb7945c42360dc27c"},{"introduced":"1cf3888655c0eb8b0b0539834ad67db5920190d7"},{"fixed":"34481193602e0c58b97997c3a20ed3b19285f5a3"},{"introduced":"d05f0a86b23e37b9d97acd9317ff3fd661d64dea"},{"fixed":"23185677876be9321d6f1c105dc78d7ccca7db97"},{"introduced":"e0bedd676512ace4c5586337c072037298315f79"},{"fixed":"20b346d70557ce602552f2617b97f059425f20a6"},{"introduced":"944a787b8071d3a27f4ac68980c21ed6137db91d"},{"fixed":"e145a010dc793819557cf359ecc73c7cb8b6a3a8"},{"introduced":"96a6969aab5f0b9362cbc984af230bdfc93022e8"},{"fixed":"4589b3cb6353f3fcab674ca92d97a23b5cd7f44e"},{"introduced":"895d6a691d7ccdfe80cdf999bc0c8a78d11ad55a"},{"fixed":"3873eb2690e85c5fd9fdd634843acc1d83c0c54a"}],"database_specific":{"extracted_events":[{"introduced":"3.7"},{"fixed":"3.7.36"},{"introduced":"3.8"},{"fixed":"3.8.36"},{"introduced":"3.9"},{"fixed":"3.9.34"},{"introduced":"4.0"},{"fixed":"4.0.33"},{"introduced":"4.1"},{"fixed":"4.1.33"},{"introduced":"4.2"},{"fixed":"4.2.30"},{"introduced":"4.3"},{"fixed":"4.3.26"},{"introduced":"4.4"},{"fixed":"4.4.25"},{"introduced":"4.5"},{"fixed":"4.5.24"},{"introduced":"4.6"},{"fixed":"4.6.21"},{"introduced":"4.7"},{"fixed":"4.7.21"},{"introduced":"4.8"},{"fixed":"4.8.17"},{"introduced":"4.9"},{"fixed":"4.9.18"},{"introduced":"5.0"},{"fixed":"5.0.13"},{"introduced":"5.1"},{"fixed":"5.1.10"},{"introduced":"5.2"},{"fixed":"5.2.11"},{"introduced":"5.3"},{"fixed":"5.3.8"},{"introduced":"5.4"},{"fixed":"5.4.6"},{"introduced":"5.5"},{"fixed":"5.5.5"},{"introduced":"5.6"},{"fixed":"5.6.4"},{"introduced":"5.7"},{"fixed":"5.7.2"}],"cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36326.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}