Main Vulnerability Database Vulnerabilities #VU133115

CRLF injection in Laravel Framework - CVE-2026-48019

Published: June 1, 2026

Vulnerability identifier: #VU133115

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-48019

CWE-ID: CWE-93

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Laravel LLC

Affected software:
Laravel Framework

Detailed vulnerability description

The vulnerability allows a remote attacker to interfere with outbound email processing.

The vulnerability exists due to improper neutralization of CRLF sequences in the default email validation rule when processing user-supplied email addresses. A remote attacker can supply a crafted email address to interfere with outbound email processing.

Under certain conditions, this may influence the content of sent emails, cause delivery to unintended recipients, or cause the mail server to send unintended messages.

How to mitigate CVE-2026-48019

Install security update from vendor's website.

Sources

https://github.com/laravel/framework/security/advisories/GHSA-5vg9-5847-vvmq

CRLF injection in Laravel Framework - CVE-2026-48019

Detailed vulnerability description

How to mitigate CVE-2026-48019

Sources

Please verify you're human