Main Vulnerability Database SB2026060124

SB2026060124 - CRLF injection in Laravel Framework

Published: June 1, 2026

Security Bulletin ID SB2026060124

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) CRLF injection (CVE-ID: CVE-2026-48019)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to interfere with outbound email processing.

The vulnerability exists due to improper neutralization of CRLF sequences in the default email validation rule when processing user-supplied email addresses. A remote attacker can supply a crafted email address to interfere with outbound email processing.

Under certain conditions, this may influence the content of sent emails, cause delivery to unintended recipients, or cause the mail server to send unintended messages.

Remediation

Install update from vendor's website.

References

https://github.com/laravel/framework/security/advisories/GHSA-5vg9-5847-vvmq