GHSA-f7hx-fqxw-rvvj · Severity: high · Ecosystem: composer — Insufficient output escaping of attachment names in PHPMailer
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
Conclusion & alert: CVE-2020-13625 is rated High Exploit Risk (74.8/100): CVSS High severity, with medium exploitation likelihood (EPSS 3.78%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 4.93% | 3.78% | -1.15% |
| 2 | 2026-05-26 | 4.55% | 4.93% | +0.39% |
| 3 | 2026-03-25 | — | 4.55% | — |
Full EPSS history (31 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-f7hx-fqxw-rvvj · Severity: high · Ecosystem: composer — Insufficient output escaping of attachment names in PHPMailer
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
high | CVE-2020-13625: 1 source package rows (cacti); 7 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 0. | https://security.alpinelinux.org/vuln/CVE-2020-13625 |
debian
|
not yet assigned | CVE-2020-13625 not yet assigned priority: Debian including 1 source packages (libphp-phpmailer), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-13625 |
ubuntu
|
medium | CVE-2020-13625 medium priority: Ubuntu including 1 source packages (libphp-phpmailer), 16 status rows across 16 suites (bionic, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, trusty, upstream, xenial): not-affected 10, released 4, DNE 1, ignored 1. | https://ubuntu.com/security/CVE-2020-13625 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| phpmailer_project | phpmailer | < 6.1.6 | cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 31 | cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* |
| fedoraproject | fedora | 32 | cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 18.04 | cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
| debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html | Broken Link |
| http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html | Broken Link |
| https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6 | Release Notes Third Party Advisory |
| https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj | Exploit Patch Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2020/06/msg00014.html | Mailing List Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2020/08/msg00004.html | Mailing List Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFM3BZABL6RUHTVMXSC7OFMP4CKWMRPJ/ | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMH4TC5XTS3KZVGMSKEPPBZ2XTZCKKCX/ | |
| https://usn.ubuntu.com/4505-1/ | Third Party Advisory |