Unrated

CRLF injection in Laravel outbound email processing

IdentifiersCVE-2026-48019CWE-93

CVE-2026-48019 is a high-severity CRLF injection flaw in the Laravel framework affecting versions up to 13.9.0 and versions before 12.60.0. The issue is caused by improper neutralization of carriage return and line feed sequences in email validation or handling logic when user-controlled email address input is passed into Laravel’s mail workflow and ultimately to Symfony Mailer and Symfony Mime. In applications that use untrusted email input in features such as registration, password reset, contact forms, or other transactional messaging, specially crafted input containing CRLF sequences can alter the structure of outbound messages and interfere with normal email processing.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an attacker to manipulate outbound email headers or message structure, inject additional recipients, redirect sensitive emails, modify message bodies, or trigger unintended email transmissions. This can expose confidential communications, compromise message integrity, and enable abuse of the application’s mail infrastructure for phishing or relay activity. Reported impact is high for confidentiality and integrity and low for availability, with scope changed beyond the vulnerable component.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or sanitize all user-supplied email input before it reaches mail-generation logic, explicitly reject carriage return and line feed characters and other control characters in email-related fields, and avoid passing raw user-controlled address data directly into mail headers or recipient fields. Review registration, password reset, contact form, and notification features that incorporate untrusted email input, and monitor outbound mail systems for anomalous recipients, header anomalies, relay behavior, or phishing abuse.

Remediation

Patch, then assume compromise.

Upgrade Laravel to a fixed release. The issue is patched in Laravel 13.10.0 and 12.60.0. Organizations should update affected deployments running versions up to 13.9.0 or versions before 12.60.0 to the appropriate patched version as a priority, especially where applications process untrusted email address input in outbound mail workflows.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyber security newsNews

Jun 3, 2026

Laravel CRLF injection Vulnerability Enable Attacker to Interfere with Outbound Email Processing

A high-severity CRLF injection flaw in the Laravel framework that can let attackers manipulate outbound email processing by injecting carriage return and line feed sequences into email-related input, potentially altering headers, recipients, or message content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-48019

NVD

nvd.nist.gov/vuln/detail/CVE-2026-48019

MITRE CWE · CWE-93

cwe.mitre.org