Security context
High· 8.9GHSA-5vg9-5847-vvmq CWE-93Published Jun 17, 2026

Laravel Framework: CRLF injection in default email rule

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

13.0.0 → fixed in 13.10.00 → fixed in 12.60.0

Details

## Summary A CRLF injection vulnerability in Laravel's email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied addresses. ## Description Laravel applications that send email to addresses provided by users — for example during authentication flows or contact forms — may be vulnerable to manipulation of outbound mail content if the address is not adequately sanitized before it reaches the mail transport layer. An attacker who can supply an email address to such a flow may, under certain conditions, be able to influence the content of emails sent by the application, cause those emails to be delivered to unintended recipients, or cause the application's mail server to send unintended messages. ## Impact Affected applications may be exposed to unauthorized access and mail relay abuse. The severity depends on what the application sends by email and how its mail infrastructure is configured. ## Remediation Upgrade to version 12.60.0 or later, or 13.10.0 or later.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References